DNS RPZ hits by category

I have received today the following request:


We have a large increase in the number of DNS RPZ hits:

And I would like to build a report graphing the DNS RPZ hits by category


So here is the search to use:


index=ib_dns_summary report=si_dns_rpz_hits | lookup dns_viewkey_displayname_lookup VIEW output display_name | eval DNS_VIEW =if(isnull(display_name), "NULL",display_name) | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA) | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) |rex field=RPZ_QNAME ".*rpz-ip\.(?<RPZ_Zone_ip>.*)"| eval RPZ_Zone_extract=split(RPZ_QNAME,DOMAIN_NAME."."), RPZ_Zone=mvindex(RPZ_Zone_extract,-1), RPZ_Zone_Name=if(match(RPZ_Zone, "rpz-ip"), RPZ_Zone_ip, RPZ_Zone)| where MITIGATION_ACTION != "ER" |  stats sum(COUNT) as QCOUNT by _time, CLIENT, DOMAIN_NAME, RPZ_Zone_Name, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME | convert ctime(_time) as Time | sort -QCOUNT | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error") | eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "") | rename RPZ_Zone_name as "RPZ Zone Name", CLIENT as "Client ID", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses" | timechart span=10m sum("Total Client Hits") by RPZ_Zone_Name


And the result


