Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

Query volume per domain Show Also zero occurence value

[ Edited ]
Authority
Posts: 15
2239     0

Hi All 

I try to create a report that show queries number for some domain name... 

I found this SLP syntax that works good, but it didn't show the domanin with queries value 0:

 

"index=ib_dns_summary report=si_dns_requested_domain FQDN="domain1.com" OR FQDN="domain2.com""| stats sum(COUNT) as FQDN_TOTAL by FQDN"

 

The domain1.com have queries and show the result with:

FQDN "domain1.com" FQDN_Total  "n"

but the doman2.com haven't queries and appear anything.. 

Is it possible show it in result (under domain1.com) in this way:

FQDN "domain2.com" FQDN_Total "0"

I found "fillnull" but seems not be the right way

 

Thanks in advance

Re: Query volume per domain Show Also zero occurence value

Authority
Posts: 15
2240     0

Anyone can give a suggest?

 

Thanks in advance

Showing results for 
Search instead for 
Did you mean: 

Recommended for You