Best Practices

DNS RPZ Hits by Clients (Drilldown)

 RPZ Hits by Client Report for Drilldown. HTH.

 Screen Shot 2017-10-24 at 17.39.49.png

 

<form>
  <label>DNS RPZ Hits by Clients (Drilldown)</label>
  <description></description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1w</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>100</default>
      <initialValue>100</initialValue>
    </input>
    <input type="multiselect" token="members">
      <label>Members</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="text" token="client">
      <label>Client (e.g. *10.120.20.*)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="client_str">*</set>
        </condition>
        <condition value="*">
          <set token="client_str">(CLIENT="$value$")</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <search>
        <query>index=ib_dns_summary report=si_dns_rpz_hits | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str">*</set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">(display_name="$value$")</set>
        </condition>
      </change>
      <default>All</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits 
            $members$
            $client_str$
            $dns_view_str$ 
    		| stats count by CLIENT
            | head $topn$ 
            | rename CLIENT as "Client ID", count as "Total Client Hits" 
            | table "Client ID", "Total Client Hits"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="conditional_value"></unset>
            </condition>
          </progress>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="conditional_value">$row.Client ID$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$conditional_value$">
        <title>RPZ Events for Client ID=$conditional_value$</title>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits DOMAIN_NAME=* CLIENT=$conditional_value$ 
            | stats count by DOMAIN_NAME
            | rename DOMAIN_NAME as "Domain Name", count as "Total Client Hits"
            | table "Domain Name", "Total Client Hits"
            | sort "Total Client Hits" desc</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Showing results for 
Search instead for 
Do you mean