Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



DNS Replies Trend report

Posts: 8
2587     0

I'm looking to see if anyone knows or has a report that gives a total number of specific replies for whatever date range is input. I'm trying to show total number of NXDOMAIN queries for a month, week, etc. at a time and the DNS Replies report only shows 10 minute intervals and doesn't give an overall total number count.


Does anyone know the Splunk code where I can just input a date range and get a total count of NXDOMAIN or Successfull queries?



Re: DNS Replies Trend report

[ Edited ]
Posts: 81
2588     0

Hello Steve,


I’m not sure if you’re still looking for this. But this simple SPL should return you the net number of NXDOMAIN responses from the Infoblox DNS servers, on a per member basis (For the said time) :


index=ib_dns_summary report=si_top_nxdomain_query | stats sum(COUNT) as QCOUNT by orig_host | rename orig_host as SERVER_NAME | sort -QCOUNT


Note that the data for this specific report/index is updated every 30 minutes, starting at the 5th minute of each half hour. Data covers the first 30 minutes of the previous 60 minutes. So you should keep that in mind if you intend to do real-time testing. Having a data connector in the grid would enable you in getting more refined reports for such use-cases. An advantage is that the index data for this category(ib_dns_capture) is expected to be updated real time. Let me know if you have any questions.


All the best.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You