Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.



DNS Report with Client IP Addresses Domain Name queried and Count Query

Posts: 15
1366     0

Hi All

Is it possibile have\build a report with the fileds in title message?

CLIENT, CLIENT_Queries and FQDN Queried


I try to create it "merging" in some way two existing reports wich have the fields and information needed:

DNS Top Client (without the splunk code to obtain TOP) and

DNS Domain Queried by Client


Some like this:

index=ib_dns_summary | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as FQDN_TOTAL by FQDN |stats sum(COUNT) as CLIENT_QUERIES by CLIENT |eventstats sum(CLIENT_QUERIES) as TotCLIENT | eventstats sum(FQDN_TOTAL) as TOTAL| rename FQDN_TOTAL as Count, FQDN as "Domain Name" | fields "Domain Name", Count, TotCLIENT

But the result is a standard event


Thanks in advance


Showing results for 
Search instead for 
Did you mean: 

Recommended for You