Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Reporting

Reply

DNS Metrics
stevediani
Authority
Posts: 8

‎10-08-2020 06:41 AM

1906     0

Hi all,  I'm trying to make a Dashboard that will get me DNS Metrics based off a selected date range using DNS Replies Trend cloned report.  Instead of collating the data 10 minutes apart and just giving a total number for said 10 minute increments, I want to collectively show how many NXDOMAIN/Success/etc responses show TOTAL for the given date range that's selected.  My current code displays the DNS replies but it's sorting and displaying by date.  

 

Code:

 

<form>
<label>DNS Metrics</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time" searchWhenChanged="false">
<label>Time</label>
<default>
<earliest>-1d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="members">
<label>Members</label>
<choice value="*">All</choice>
<search>
<query>index=ib_dns_summary report=si_dns_query_reply
| stats count by MEMBER</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>MEMBER</fieldForLabel>
<fieldForValue>MEMBER</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>MEMBER="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="dropdown" token="response_type">
<label>Response Type</label>
<choice value="*">All</choice>
<choice value="success">SUCCESS/ NOERROR</choice>
<choice value="referral">REFERRAL</choice>
<choice value="nxrrset">NXRRSET</choice>
<choice value="nxdomain">NXDOMAIN</choice>
<choice value="failure">REFUSED</choice>
<choice value="other">OTHER</choice>
<default>*</default>
<prefix>( TYPE="</prefix>
<suffix>" )</suffix>
<initialValue>*</initialValue>
</input>
<input type="link" token="view" searchWhenChanged="true">
<label>View</label>
<choice value="chart">Line Chart</choice>
<choice value="table">Table</choice>
<choice value="both">Both</choice>
<default>chart</default>
<change>
<condition value="table">
<set token="show_table">true</set>
<unset token="show_chart"></unset>
</condition>
<condition value="chart">
<set token="show_chart">true</set>
<unset token="show_table"></unset>
</condition>
<condition value="both">
<set token="show_chart">true</set>
<set token="show_table">true</set>
</condition>
</change>
</input>
</fieldset>
<search id="base_search">
<query>index=ib_dns_summary report=si_dns_query_reply
$members$ $response_type$
| stats sum(COUNT) as QCOUNT by date_mday, TYPE
| eval QCOUNT=QCOUNT
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<row>
<panel isVisible="$show_chart$">
<chart depends="$show_chart$">
<search base="base_search">
<query>| rename _time as Time
| eval Time=strftime(Time, "%Y-%m-%d %H:%M:%S %Z")</query>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleY.text">Reply count</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel isVisible="$show_table$">
<table depends="$show_table$">
<search base="base_search">
<query>| sort -_time
| rename _time as Time
| eval Time=strftime(Time, "%Y-%m-%d %H:%M:%S %Z")</query>
</search>
<option name="rowNumbers">true</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

 

 

Current Output:

 

 

image.png

 

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements