This dashboard captures the 2 level domain name in the DNS firewall messges and counts of them. Useful in pre-implmentation to gage the affect of blocking mode and in production to see if a particular threat by domain name is present. 

Dashbaord XML

<form>

  <label>L2 Domain Blocked on DNS Firewall</label>

  <fieldset submitButton="false" autoRun="true">

    <input type="time" token="datetime">

      <label></label>

      <default>

        <earliest>-7d@h</earliest>

        <latest>now</latest>

      </default>

    </input>

  </fieldset>

  <row>

    <panel>

      <table>

        <search>

          <query>index=ib_dns_summary source="si-search-dns-rpz-hits"
| rex field=DOMAIN_NAME "^.*(\.|^)(?&lt;l2domain&gt;[^\.]+\..*)"
| table l2domain, TOTAL_COUNT
| stats sum(TOTAL_COUNT) as Matches by l2domain
| sort by Matches desc</query>

          <earliest>$datetime.earliest$</earliest>

          <latest>$datetime.latest$</latest>

        </search>

        <option name="wrap">true</option>

        <option name="rowNumbers">false</option>

        <option name="drilldown">cell</option>

        <option name="dataOverlayMode">none</option>

        <option name="count">10</option>

      </table>

    </panel>

  </row>

</form>