Reply

DNS Top Requested Domain Names with Filter

[ Edited ]
Adviser
Posts: 118
1353     0

This is a varation on the DNS Top Requested Domain Names default report which enables you to filter on domain name. Note that this report only gives a summarized count of requests for the given domain name. If you are looking for detailed information on the specific DNS queries you still need to use the Infoblox Data Collector and associated reports.

 

screencapture-demogm1-infoblox-ui-CYx4B5-WWI5gmxTi66uXTA-CYx21-mxT18-1484591779270.png

 

<form>
  <label>DNS Top Requested Domain Names with Filter</label>
  <description>DNS Top Requested Domain Names with a Filter to filter by domain</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="domain_filter">
      <label>Domain Filter</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="topn" searchWhenChanged="false">
      <label>Top N</label>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
      <default>10</default>
    </input>
    <input type="multiselect" token="members" searchWhenChanged="false">
      <choice value="*">All</choice>
      <label>Members</label>
      <search>
        <query>index=ib_dns_summary report=si_dns_requested_domain
               | stats count by orig_host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>orig_host</fieldForLabel>
      <fieldForValue>orig_host</fieldForValue>
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>orig_host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="text" token="tld">
      <label>TLD</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="tld_str">*</set>
        </condition>
        <condition value="*">
          <set token="tld_str">TLD="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="dns_view">
      <label>DNS View</label>
      <choice value="All">All</choice>
      <default>All</default>
      <search>
        <query>index=ib_dns_summary report=si_dns_requested_domain
               | stats count by display_name</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>display_name</fieldForLabel>
      <fieldForValue>display_name</fieldForValue>
      <change>
        <condition value="All">
          <set token="dns_view_str">*</set>
        </condition>
        <condition value="*">
          <set token="dns_view_str">display_name="$value$"</set>
        </condition>
      </change>
    </input>
    <input type="link" token="view" searchWhenChanged="true">
      <label>View</label>
      <choice value="chart">Bar Chart</choice>
      <choice value="table">Table</choice>
      <choice value="both">Both</choice>
      <default>chart</default>
      <change>
        <condition value="table">
          <set token="show_table">true</set>
          <unset token="show_chart"></unset>
        </condition>
        <condition value="chart">
          <set token="show_chart">true</set>
          <unset token="show_table"></unset>
        </condition>
        <condition value="both">
          <set token="show_chart">true</set>
          <set token="show_table">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <search id="base_search">
    <query>index=ib_dns_summary report=si_dns_requested_domain
              $domain_filter$
              $members$
              $tld_str$
              $dns_view_str$
              | stats sum(COUNT) as FQDN_TOTAL by FQDN
              | sort -FQDN_TOTAL
              | head $topn$
              | eventstats sum(FQDN_TOTAL) as TOTAL
              | eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1)
              | eval PHOST=FQDN+" ("+PERCENT+"%)"
              | rename FQDN_TOTAL as Count, PHOST as "Domain Name"
              | fields "Domain Name", Count</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <row>
    <panel>
      <chart depends="$show_chart$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.axisTitleX.text">Domain Name</option>
        <option name="charting.axisTitleY.text">Count</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$show_table$">
        <search base="base_search">
          <query>| noop</query>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form> 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You