7159 
1
As requested by LEdwards, here is a version of the DNS Top Clients (Host) reporting with an IP filter. Note that you can input a single IP, use wildcards (192.168.*), or use CIDR notation (192.168.0.0/16).
<form>
<label>DNS Top Clients (Host) with IP filter</label>
<description>System-created dashboard: Please clone before editing.</description>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>-1d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="topn">
<label>Top N</label>
<default>10</default>
<choice value="5">5</choice>
<choice value="10">10</choice>
<choice value="20">20</choice>
<choice value="50">50</choice>
<choice value="100">100</choice>
<choice value="200">200</choice>
<choice value="250">250</choice>
<choice value="500">500</choice>
</input>
<input type="text" token="ip_filter">
<label>IP</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="members">
<label>Members</label>
<choice value="*">All</choice>
<search>
<query>index=ib_dns_summary report=si_dns_top_clients
| stats count by orig_host</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>orig_host</fieldForLabel>
<fieldForValue>orig_host</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>orig_host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="dropdown" token="dns_view">
<label>DNS View</label>
<choice value="All">All</choice>
<search>
<query>index=ib_dns_summary report=si_dns_top_clients
| stats count by display_name</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>display_name</fieldForLabel>
<fieldForValue>display_name</fieldForValue>
<default>All</default>
<change>
<condition value="All">
<set token="dns_view_str">*</set>
</condition>
<condition value="*">
<set token="dns_view_str">display_name="$value$"</set>
</condition>
</change>
</input>
<input type="link" token="view" searchWhenChanged="true">
<label>View</label>
<choice value="chart">Bar Chart</choice>
<choice value="table">Table</choice>
<choice value="both">Both</choice>
<default>chart</default>
<change>
<condition value="table">
<set token="show_table">true</set>
<unset token="show_chart"></unset>
</condition>
<condition value="chart">
<set token="show_chart">true</set>
<unset token="show_table"></unset>
</condition>
<condition value="both">
<set token="show_chart">true</set>
<set token="show_table">true</set>
</condition>
</change>
</input>
</fieldset>
<search id="base_search">
<query>index=ib_dns_summary report=si_dns_top_clients
CLIENT=$ip_filter$
$members$
$dns_view_str$
| stats sum(COUNT) as CLIENT_QUERIES by CLIENT
| sort -CLIENT_QUERIES
| lookup dnslookup clientip as CLIENT OUTPUT clienthost as CLIENT_RESOLVED
| fillnull value="" CLIENT_RESOLVED
| eval newField= CLIENT." ".CLIENT_RESOLVED
| rename newField as CLIENT
| head $topn$
| eventstats sum(CLIENT_QUERIES) as TOTAL
| eval PERCENT=round(CLIENT_QUERIES*100/TOTAL,1)
| eval PCLIENT=CLIENT+" ("+PERCENT+"%)"
| rename PCLIENT as Client, CLIENT_QUERIES as Queries
| fields Client, Queries</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<row>
<panel>
<chart depends="$show_chart$">
<search base="base_search">
<query>| noop</query>
</search>
<option name="charting.chart">bar</option>
<option name="charting.drilldown">none</option>
<option name="charting.axisTitleX.text">Client</option>
<option name="charting.axisTitleY.text">Queries</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
<row>
<panel>
<table depends="$show_table$">
<search base="base_search">
<query>| noop</query>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Posts: 8
7159 1
Posts: 2
7160 1
