Reply
Accepted Solution

DNS client report by infoblox host

[ Edited ]
drew7722
Techie
Posts: 3
3607     0

Community:

New to the forum here so I appreciate the help!

I am looking for reporting filter to show me all Clients using a specific grid member for DNS services within a certain period of time.  The goal is determine any statically configured devices using the DNS server so they can be pointed to a new DNS server.

 

I was able to get something close from the Top Client report - but I do not think it is showing me all the clients.

 

orig_host="HOSTNAME" index=ib_dns_summary report=si_dns_top_clients | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as CLIENT_QUERIES by CLIENT | sort -CLIENT_QUERIES | eventstats sum(CLIENT_QUERIES) as TOTAL | eval PERCENT=round(CLIENT_QUERIES*100/TOTAL,1) | eval PCLIENT=CLIENT+" ("+PERCENT+"%)" | rename PCLIENT as Client, CLIENT_QUERIES as Queries | fields Client, Queries

 

 

Thank you!

Re: DNS client report by infoblox host

[ Edited ]
drew7722
Techie
Posts: 3
3607     0

 

Existing filter string

 

orig_host="HOSTNAME" index=ib_dns_summary report=si_dns_top_clients | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as CLIENT_QUERIES by CLIENT | sort -CLIENT_QUERIES | eventstats sum(CLIENT_QUERIES) as TOTAL | eval PERCENT=round(CLIENT_QUERIES*100/TOTAL,1) | eval PCLIENT=CLIENT+" ("+PERCENT+"%)" | rename PCLIENT as Client, CLIENT_QUERIES as Queries | fields Client, Queries

 

Re: DNS client report by infoblox host

[ Edited ]
Adviser
Posts: 107
3607     0

Hello,

 

It is most probably because you are using "report=si_dns_top_clients". It already has sort and head functions inside it to limit the number of clients in the output.

 

Can you try the below? Also replace the bold portion with the fqdn of your DNS member.

'sort 0'  helps prevent sort from truncating the results to 10000 rows

 

sourcetype=ib:dns:query:top_clients index=ib_dns | lookup dns_viewkey_displayname_lookup VIEW output display_name |search host=your.dns.member.fqdn | stats sum(COUNT) as CLIENT_QUERIES by CLIENT | sort 0 -CLIENT_QUERIES | eventstats sum(CLIENT_QUERIES) as TOTAL | eval PERCENT=round(CLIENT_QUERIES*100/TOTAL,1) | eval PCLIENT=CLIENT+" ("+PERCENT+"%)" | rename PCLIENT as Client, CLIENT_QUERIES as Queries | fields Client, Queries


Best Regards,

Bibin Thomas

Re: DNS client report by infoblox host

drew7722
Techie
Posts: 3
3607     0

Thanks!   That seems to be doing the trick.  I am getting a lot more cleints in the list as compared to the other search string.

Re: DNS client report by infoblox host

samjha
Techie
Posts: 2
3607     0

I am newbie in Infoblox. Please help me to setup Spluk report.

 

* we have multiple grid member, wanted to add in single report  "DNS client report by infoblox host"

 

Thanks

 

 

Highlighted

Re: DNS client report by infoblox host

Adviser
Posts: 118
3607     0

In the "reporting" tab, you'll need to click on the "search" sub-tab, then paste in the code above. Note that you'll need to replace the "host=your.dns.member.fqdn" with the host name of the host you are looking to get statistics for.

Showing results for 
Search instead for 
Do you mean 

Recommended for You