Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

DNS Metrics

Authority
Posts: 8
1747     0

Hi all,  I'm trying to make a Dashboard that will get me DNS Metrics based off a selected date range using DNS Replies Trend cloned report.  Instead of collating the data 10 minutes apart and just giving a total number for said 10 minute increments, I want to collectively show how many NXDOMAIN/Success/etc responses show TOTAL for the given date range that's selected.  My current code displays the DNS replies but it's sorting and displaying by date.  

 

Code:

 

<form>
<label>DNS Metrics</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time" searchWhenChanged="false">
<label>Time</label>
<default>
<earliest>-1d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="members">
<label>Members</label>
<choice value="*">All</choice>
<search>
<query>index=ib_dns_summary report=si_dns_query_reply
| stats count by MEMBER</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>MEMBER</fieldForLabel>
<fieldForValue>MEMBER</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>MEMBER="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="dropdown" token="response_type">
<label>Response Type</label>
<choice value="*">All</choice>
<choice value="success">SUCCESS/ NOERROR</choice>
<choice value="referral">REFERRAL</choice>
<choice value="nxrrset">NXRRSET</choice>
<choice value="nxdomain">NXDOMAIN</choice>
<choice value="failure">REFUSED</choice>
<choice value="other">OTHER</choice>
<default>*</default>
<prefix>( TYPE="</prefix>
<suffix>" )</suffix>
<initialValue>*</initialValue>
</input>
<input type="link" token="view" searchWhenChanged="true">
<label>View</label>
<choice value="chart">Line Chart</choice>
<choice value="table">Table</choice>
<choice value="both">Both</choice>
<default>chart</default>
<change>
<condition value="table">
<set token="show_table">true</set>
<unset token="show_chart"></unset>
</condition>
<condition value="chart">
<set token="show_chart">true</set>
<unset token="show_table"></unset>
</condition>
<condition value="both">
<set token="show_chart">true</set>
<set token="show_table">true</set>
</condition>
</change>
</input>
</fieldset>
<search id="base_search">
<query>index=ib_dns_summary report=si_dns_query_reply
$members$ $response_type$
| stats sum(COUNT) as QCOUNT by date_mday, TYPE
| eval QCOUNT=QCOUNT
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<row>
<panel isVisible="$show_chart$">
<chart depends="$show_chart$">
<search base="base_search">
<query>| rename _time as Time
| eval Time=strftime(Time, "%Y-%m-%d %H:%M:%S %Z")</query>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleY.text">Reply count</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel isVisible="$show_table$">
<table depends="$show_table$">
<search base="base_search">
<query>| sort -_time
| rename _time as Time
| eval Time=strftime(Time, "%Y-%m-%d %H:%M:%S %Z")</query>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

 

 

Current Output:

 

 

image.png

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You