The solution is not performance friendly (we don't have a lookup table). You need to clone the report and change a search string for the table. I also got rid of Time field.

index=ib_dns_summary report=si_dns_rpz_hits             $client_str$             $domain_name_str$             $dns_view_str$             $members$             $mitigation_action_str$             $rpz_zone_str$             $rpz_entry_str$             $severity_str$                     | eval DNS_VIEW =if(isnull(display_name), "NULL",display_name)             | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)             | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)             | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)             | where MITIGATION_ACTION != "ER"              | stats sum(COUNT) as QCOUNT by _time, CLIENT, DOMAIN_NAME, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             | stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by CLIENT, DOMAIN_NAME, DNS_VIEW, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             | sort -QCOUNT             | head $topn$             | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error")             | eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "")     | rename CLIENT as "Client ID", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses"     |  join  type=left "Client ID" [search index=ib_discovery source="ib:discovery:ipaddr_activity"| stats latest(_time) by IPADDR, DISCOVERED_NAME, NETWORK_VIEW| rename IPADDR as "Client ID"| table "Client ID", DISCOVERED_NAME, NETWORK_VIEW]     | table "Client ID", DISCOVERED_NAME, NETWORK_VIEW, "Total Client Hits", "Domain Name", "RPZ Entry", "RPZ Severity", "Total Rule Hits", "Mitigation Action", "Substitute Addresses"

Hello,

Thanks for posting your report.  I tried using your search string however, I'm getting errors because of the tokens. Could you please tell me the best way to add your report with the dropdown selectors in my Reporting Server?

Kind regards,
Jeff 

Thanks Vadim, I did see that in your original quote however, you talk about cloning the report, when actually it's a Dashboard that you cloned.  I now see where to make the modifications.

Kind regards,
Jeff

Thankyou for this.  

For some reason, when I cut and pasted the code, I kept getting a extra hidden charactor in this statement,

eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY) 

Between the IT in the third SEVERITY.

Some browsers would show it and some would not, once I got that sorted, it worked fine.