Reply
Accepted Solution

Query volume per domain (or zone)

Authority
Posts: 27
4373     0

We're currently evaluating slaving some of our critical external zones out to a 3rd party hosting provider. The provider charges based on average monthly query volume across all of the zones being hosted. So I'm trying to generate a search that gives us those numbers.

 

I'm still super new to Infoblox reporting and Splunk in general. But here's the basic query I'm working with so far.

 

index=ib_dns_summary report=si_dns_requested_domain display_name="External" FQDN="*.example.com" 
| stats sum(COUNT) as FQDN_TOTAL

 

What I *think* I'm asking for here is the sum of all queries in the External DNS view for FQDNs that match *.example.com in whatever time period I've specified. Am I correct that "*.example.com" won't match queries for the apex "example.com"? If so, what's the best way to include that as well?

 

Is there a better way to get the info I'm looking for? Is there an easy way to modify the search so I can provide a list of apex domains rather than doing them one at a time?

 

Thanks all for your time.

Re: Query volume per domain (or zone)

Adviser
Posts: 78
4373     0

Hello There,

 

I hope that the string works perfect for you since I don’t find any reason for that not to. Your assumption is right. It won’t match “example.com”. To include that, you just need to modify your string as :

 

index=ib_dns_summary report=si_dns_requested_domain display_name=”External” FQDN="*.example.com" OR FQDN ="example.com"| stats sum(COUNT) as FQDN_TOTAL by FQDN

 

You may append this string with other FQDNs (using OR), so that you don’t have to run individual searches. If you run into a necessity to figure out the actual clients querying those domains(For any internal needs), you may need to setup a data connector VM in your Infoblox infrastructure.

 

Other than that, you should be good to go with this. Let me know if you have any questions.

 

Best regards,

Mohammed Alman.

 

 

Re: Query volume per domain (or zone)

Authority
Posts: 27
4373     0

Thanks, @malman. I knew it had to be something simple like that for getting the root. I suspect there might be a regex way of doing it as well?

 

However, adding the `by FQDN` to the stats clause has blown up my result set. In the single domain case, I can just remove it and go back to the single count result. But if I'm adding multiple OR clauses for the rest of the domains, is there an easy way to group the results by just the domain portion of the FQDN rather than the whole thing?

Highlighted

Re: Query volume per domain (or zone)

Adviser
Posts: 78
4373     0

Hello There,

 

Can you try this to see if it gives you the sorted results based on the domain name ? :

 

index=ib_dns_summary report=si_dns_requested_domain display_name=”External” FQDN="*.example.com" OR FQDN ="example.com" | rex "^(?:[^\.\n]*\.){5}(?P<DOMAINNAME>\w+\.\w+)" | stats sum(COUNT) as FQDN_TOTAL by FQDN, DOMAINNAME| sort DOMAINNAME | fields FQDN FQDN_TOTAL

 

Alternatively, this string could be used in order to pull the net number of hits to a domain(Will be picking up the first two domains in the FQDN) :

 

index=ib_dns_summary report=si_dns_requested_domain display_name=”External” FQDN="*.example.com" OR FQDN ="example.com"| rex "^(?:[^\.\n]*\.){5}(?P<DOMAINNAME>\w+\.\w+)" |stats sum(COUNT) as FQDN_TOTAL by FQDN, DOMAINNAME| sort DOMAINNAME | stats sum(FQDN_TOTAL) as "TOTAL HITS" by DOMAINNAME

 

Best regards,

Mohammed Alman. 

Showing results for 
Search instead for 
Do you mean 

Recommended for You