index=ib_security_summary report=si_dns_tunneling_activity
      | append
      [ search index=ib_dns_summary report=si_dns_rpz_hits | rex field=RPZ_QNAME "(?<l3domain>[^\.]+\.[^\.]+\.[^\.]+)\.[^\.]+$"
      | eval JOIN_FIELD=1
      | join JOIN_FIELD
      [ | inputlookup analytics_rpz_lookup
      | eval JOIN_FIELD=1 ]
      | where like(RPZ_QNAME, "%" + ANALYTICS_RPZ)
      | where MITIGATION_ACTION != "ER"
      | eval DNST_CATEGORY="Detected by Analytics Engine"
      | eval RULE_DESCRIPTION=ANALYTICS_RPZ]
      | stats sum(TOTAL_COUNT) as ACTIVE_COUNT by CLIENT, DNST_CATEGORY, RULE_DESCRIPTION, l3domain