Reply

DNS Requested Domain Count

[ Edited ]
Adviser
Posts: 97
2681     0

 

This is a modification of the default "DNS Top Requested Domain Names" which allows you to filter on the FQDN instead of the TLD. Using wildcards you can see a count of queries per subdomain. The example below shows all of the queries for *.infoblox.com.

 

screencapture-demogm1-infoblox-ui-K_fi2SWtSRsUhNpitFA_Hg-K_f31-i2Sb9-1477933541315.png

 

<form>
  <label>DNS Requested Domain Count</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn" searchWhenChanged="false">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>10</default>
    </input>
    <input type="multiselect" token="members" searchWhenChanged="false">
      <choice value="*">All</choice>
      <label>Members</label>
      <search>
        <query>index=ib_dns_summary report=si_dns_requested_domain
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="text" token="FQDN">
      <label>Domain</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="fqdn_str">*</set>
        </condition>
        <condition value="*">
          <set token="fqdn_str">FQDN="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <default>All</default>
      <search>
        <query>index=ib_dns_summary report=si_dns_requested_domain
               | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str">*</set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">display_name="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="link" token="view" searchWhenChanged="true">
      <label>View</label>
      <choice value="chart">Bar Chart</choice>
      <choice value="table">Table</choice>
      <choice value="both">Both</choice>
      <default>chart</default>
      <change>
        <condition value="table">
          <set token="show_table">true</set>
          <unset token="show_chart"></unset>
        </condition>
        <condition value="chart">
          <set token="show_chart">true</set>
          <unset token="show_table"></unset>
        </condition>
        <condition value="both">
          <set token="show_chart">true</set>
          <set token="show_table">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <search id="base_search">
    <query>index=ib_dns_summary report=si_dns_requested_domain
              $members$
              $fqdn_str$
              $dns_view_str$
              | stats sum(COUNT) as FQDN_TOTAL by FQDN
              | sort -FQDN_TOTAL
              | head $topn$
              | eventstats sum(FQDN_TOTAL) as TOTAL
              | eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1)
              | eval PHOST=FQDN+" ("+PERCENT+"%)"
              | rename FQDN_TOTAL as Count, PHOST as "Domain Name"
              | fields "Domain Name", Count</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <row>
    <panel isVisible="$show_chart$">
      <chart depends="$show_chart$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Domain Name</option>
        <option name="charting.axisTitleY.text">Count</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel isVisible="$show_table$">
      <table depends="$show_table$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

 

Re: DNS Requested Domain Count

Adviser
Posts: 97
2682     0

Here is an enhanced version which shows the total for the filtered domains.

 

screencapture-demogm1-infoblox-ui-hTrnMtq4eXxEMjY6zwcfzg-hTr75-Trn5f-1478109944310.png

 

<form>
  <label>DNS Requested Domain Count</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="topn" searchWhenChanged="false">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>10</default>
    </input>
    <input type="multiselect" token="members" searchWhenChanged="false">
      <choice value="*">All</choice>
      <label>Members</label>
      <search>
        <query>index=ib_dns_summary report=si_dns_requested_domain
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="text" token="FQDN">
      <label>Domain</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="fqdn_str">*</set>
        </condition>
        <condition value="*">
          <set token="fqdn_str">FQDN="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <default>All</default>
      <search>
        <query>index=ib_dns_summary report=si_dns_requested_domain
               | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str">*</set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">display_name="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="link" token="view" searchWhenChanged="true">
      <label>View</label>
      <choice value="chart">Bar Chart</choice>
      <choice value="table">Table</choice>
      <choice value="both">Both</choice>
      <default>chart</default>
      <change>
        <condition value="table">
          <set token="show_table">true</set>
          <unset token="show_chart"></unset>
        </condition>
        <condition value="chart">
          <set token="show_chart">true</set>
          <unset token="show_table"></unset>
        </condition>
        <condition value="both">
          <set token="show_chart">true</set>
          <set token="show_table">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <search id="base_search">
    <query>index=ib_dns_summary report=si_dns_requested_domain
              $members$
              $fqdn_str$
              $dns_view_str$
              | stats sum(COUNT) as FQDN_TOTAL by FQDN
              | sort -FQDN_TOTAL
              | head $topn$
              | eventstats sum(FQDN_TOTAL) as TOTAL
              | eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1)
              | eval PHOST=FQDN+" ("+PERCENT+"%)"
              | rename FQDN_TOTAL as Count, PHOST as "Domain Name"
              | fields "Domain Name", Count</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <row>
    <panel>
      <single>
        <title>Total Requests</title>
        <search base="base_search">
          <query>| stats sum(Count)</query>
        </search>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="linkView">search</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="trendInterval">auto</option>
        <option name="underLabel">Total queries for $fqdn_str$</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart depends="$show_chart$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Domain Name</option>
        <option name="charting.axisTitleY.text">Count</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$show_table$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
Showing results for 
Search instead for 
Do you mean 

Recommended for You