Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

DNS Replies Trend report

Authority
Posts: 8
2436     0

I'm looking to see if anyone knows or has a report that gives a total number of specific replies for whatever date range is input. I'm trying to show total number of NXDOMAIN queries for a month, week, etc. at a time and the DNS Replies report only shows 10 minute intervals and doesn't give an overall total number count.

 

Does anyone know the Splunk code where I can just input a date range and get a total count of NXDOMAIN or Successfull queries?

 

Thanks. 

Re: DNS Replies Trend report

[ Edited ]
Superuser
Posts: 81
2437     0

Hello Steve,

 

I’m not sure if you’re still looking for this. But this simple SPL should return you the net number of NXDOMAIN responses from the Infoblox DNS servers, on a per member basis (For the said time) :

 

index=ib_dns_summary report=si_top_nxdomain_query | stats sum(COUNT) as QCOUNT by orig_host | rename orig_host as SERVER_NAME | sort -QCOUNT

 

Note that the data for this specific report/index is updated every 30 minutes, starting at the 5th minute of each half hour. Data covers the first 30 minutes of the previous 60 minutes. So you should keep that in mind if you intend to do real-time testing. Having a data connector in the grid would enable you in getting more refined reports for such use-cases. An advantage is that the index data for this category(ib_dns_capture) is expected to be updated real time. Let me know if you have any questions.

 

All the best.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You