DNS Top Client per Domain w/Hostname Report

Here is a modified version of the 'Top DNS Client per Domain' report that includes the source client hostname along with the client IP address.


index=ib_dns_summary report=si_top_clients_per_domain                  (orig_host="*")                  *                  *                  *                  | stats sum(COUNT) as CLIENT_QUERIES by FQDN CLIENT                  | sort -CLIENT_QUERIES                  | head 5                  | eventstats sum(CLIENT_QUERIES) as TOTAL                  | eval PERCENT=round(CLIENT_QUERIES*100/TOTAL,1)                  | eval PCLIENT=CLIENT+"("+PERCENT+"%)"                  | rename FQDN as "Domain", CLIENT as "Client", CLIENT_QUERIES as Queries                  | fields "Domain", "Client", Queries | lookup dnslookup clientip as Client OUTPUT clienthost as CLIENT_RESOLVED | fillnull value="" CLIENT_RESOLVED | eval newField= CLIENT." ".CLIENT_RESOLVED | rename newField as CLIENT


DNS Top Clients Per Domain w:Hostname.png


