05-28-2019 06:34 AM
I'm looking to see if anyone knows or has a report that gives a total number of specific replies for whatever date range is input. I'm trying to show total number of NXDOMAIN queries for a month, week, etc. at a time and the DNS Replies report only shows 10 minute intervals and doesn't give an overall total number count.
Does anyone know the Splunk code where I can just input a date range and get a total count of NXDOMAIN or Successfull queries?
06-20-2019 06:20 PM - edited 06-20-2019 06:23 PM
I’m not sure if you’re still looking for this. But this simple SPL should return you the net number of NXDOMAIN responses from the Infoblox DNS servers, on a per member basis (For the said time) :
index=ib_dns_summary report=si_top_nxdomain_query | stats sum(COUNT) as QCOUNT by orig_host | rename orig_host as SERVER_NAME | sort -QCOUNT
Note that the data for this specific report/index is updated every 30 minutes, starting at the 5th minute of each half hour. Data covers the first 30 minutes of the previous 60 minutes. So you should keep that in mind if you intend to do real-time testing. Having a data connector in the grid would enable you in getting more refined reports for such use-cases. An advantage is that the index data for this category(ib_dns_capture) is expected to be updated real time. Let me know if you have any questions.
All the best,