DNS RPZ Hits by Clients (Drilldown)
RPZ Hits by Client Report for Drilldown. HTH.
<form>
<label>DNS RPZ Hits by Clients (Drilldown)</label>
<description></description>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>-1w</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="topn">
<label>Top N</label>
<choice value="5">5</choice>
<choice value="10">10</choice>
<choice value="20">20</choice>
<choice value="50">50</choice>
<choice value="100">100</choice>
<choice value="200">200</choice>
<choice value="250">250</choice>
<choice value="500">500</choice>
<default>100</default>
<initialValue>100</initialValue>
</input>
<input type="multiselect" token="members">
<label>Members</label>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>orig_host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits
| stats count by orig_host</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>orig_host</fieldForLabel>
<fieldForValue>orig_host</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
</input>
<input type="text" token="client">
<label>Client (e.g. *10.120.20.*)</label>
<default>All</default>
<change>
<condition value="All">
<set token="client_str">*</set>
</condition>
<condition value="*">
<set token="client_str">(CLIENT="$value$")</set>
</condition>
</change>
</input>
<input type="dropdown" token="dns_view">
<label>DNS View</label>
<choice value="All">All</choice>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits | stats count by display_name</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>display_name</fieldForLabel>
<fieldForValue>display_name</fieldForValue>
<change>
<condition value="All">
<set token="dns_view_str">*</set>
</condition>
<condition value="*">
<set token="dns_view_str">(display_name="$value$")</set>
</condition>
</change>
<default>All</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits
$members$
$client_str$
$dns_view_str$
| stats count by CLIENT
| head $topn$
| rename CLIENT as "Client ID", count as "Total Client Hits"
| table "Client ID", "Total Client Hits"</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<condition>
<unset token="conditional_value"></unset>
</condition>
</progress>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">row</option>
<drilldown>
<set token="conditional_value">$row.Client ID$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table depends="$conditional_value$">
<title>RPZ Events for Client ID=$conditional_value$</title>
<search>
<query>index=ib_dns_summary report=si_dns_rpz_hits DOMAIN_NAME=* CLIENT=$conditional_value$
| stats count by DOMAIN_NAME
| rename DOMAIN_NAME as "Domain Name", count as "Total Client Hits"
| table "Domain Name", "Total Client Hits"
| sort "Total Client Hits" desc</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>