We have a secondary dns layer that is supposed to be the dns server layer for all clients.

The secondary DNS servers forward to the caching layer.

While RPZ is on both layers now, I want to only have RPZ at the secondary layer.

First I must determine that RPZ hits are only being reported from the secondary layer before I move the RPZ licenses off the caching layer.

I want to run a report that will demonstrate that clients are not sending queries to the caching layer.

The dns secondary server names begin with “usqasb01dns”

The dns Caching server names begin with “usqasb01dnf”

This is the current search criteria:

index=ib_dns_summary report=si_dns_rpz_hits| eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX" or MITIGATION_ACTION == "ND", "Block", MITIGATION_ACTION == "SB" or MITIGATION_ACTION =="A1" or MITIGATION_ACTION =="A4" or MITIGATION_ACTION =="AA" or MITIGATION_ACTION =="DN", "Substitute") | fields _time  MITIGATION_ACTION   TOTAL_COUNT   | timechart bins=1000 avg(TOTAL_COUNT) by MITIGATION_ACTION  useother=f | interpolate 1200| fillnull | addtotals row=true col=false | rename Total as "ClientHits"

Can I add a condition to look for the caching servers?

Usqasb01dnf101.na.pg.com

Usqasb01dnf102.na.pg.com

Your help is greatly appreciated