Trying to generate alert where more than 10 txt request has been sent in 5 min or where bas64 encoded data has been sent in txt or AAAA record of DNS

| where (count_ >= 10 and TimeSpan <= timespan(00:05:00) and RecordType == "TXT") or
where [(Domain matches regex "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$")
and strlen(Domain)>40 and where (RecordType == "TXT" or RecordType == "AAAA")]