Hello! I'm working on a query in Sumo Logic and need some guidance on how to refer to reference lists. I've created a reference list that updates daily with a list of known beaconing servers. Here's the query I have so far:

$e.metadata.event_type = "NETWORK_DNS"
$e.principal.hostname = $host
$e.network.dns.questions.name in %reference_list

match:
$host over 4h

condition:
$e

My goal is to check if hosts are connecting to the domains listed in the reference list. It shows that no detections are being found -- I feel like I am missing an aspect on this query. I have tried to change the match to be $host, %reference_list over 4h, but it doesn't seem to be working. 

Thank you!