diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index e45a65e78c59053d72573ef14d96fe96b08a29c4..3d92af056b5d0ee30ec1e2dd0c58e8b8916aaf53 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -73,6 +73,17 @@ filter {
 
 # to do cached and cached reverse
 
+      else if [NODATA-IPv4] {
+        mutate {
+          add_tag => [ "NODATA" ]
+        }
+      }
+
+      else if [NODATA-IPv6] {
+        mutate {
+          add_tag => [ "NODATA" ]
+        }
+      }
 
       if [request_from] and [message] =~ "query" {
         mutate {
@@ -131,15 +142,13 @@ filter {
         }
       }
 
-     
-
-      else if [message] =~ "cached" and [message] =~ "CNAME" {
+      else if [domain_request] and [message] =~ "cached" and [message] =~ "CNAME" {
         mutate {
           add_tag => [ "cached domain to ip cname" ]
         }
       }
 
-	  else if [domain_request] and [message] =~ "cached" {
+      else if [domain_request] and [message] =~ "cached" {
         mutate {
           add_tag => [ "cached domain to ip" ]
         }
@@ -154,17 +163,6 @@ filter {
         }
       }
 
-      else if [NODATA-IPv4] {
-        mutate {
-          add_tag => [ "NODATA" ]
-        }
-      }
-
-      else if [NODATA-IPv6] {
-        mutate {
-          add_tag => [ "NODATA" ]
-        }
-      }
 
 
   mutate {
@@ -175,7 +173,7 @@ filter {
 
     dns {
       reverse => ["source_fqdn"]
-      action => "replace"					  
+      action => "replace"
       hit_cache_size => 4096
       hit_cache_ttl => 900
       failed_cache_size => 512
@@ -189,15 +187,3 @@ filter {
 
   }
 }
-
-
-output {
-
-  if "pihole" in [tags]{
-      elasticsearch {
-            hosts => [""<ELASTICSEARCHHOST:PORT>""]
-#            manage_template => false
-            index => "logstash-syslog-dns-%{+YYYY.MM}"
-  }
- }
-}
\ No newline at end of file