02-16-2021 08:24 AM - edited 02-22-2021 09:48 AM
I try to create a report that show queries number for some domain name...
I found this SLP syntax that works good, but it didn't show the domanin with queries value 0:
"index=ib_dns_summary report=si_dns_requested_domain FQDN="domain1.com" OR FQDN="domain2.com""| stats sum(COUNT) as FQDN_TOTAL by FQDN"
The domain1.com have queries and show the result with:
FQDN "domain1.com" FQDN_Total "n"
but the doman2.com haven't queries and appear anything..
Is it possible show it in result (under domain1.com) in this way:
FQDN "domain2.com" FQDN_Total "0"
I found "fillnull" but seems not be the right way
Thanks in advance