Hello alonk,

The predefined report that you're using here is configured to run at every 30th minute from 4
through 59. The data would include the first 30 minutes of the previous 1 hour. So apparently the COUNT you're looking at is the total # of times that the FQDN was queried for in the last 1 hour's first 30 minutes. I don't think you would need to do any changes to that raw information, unless you'd like to divide it by 1800 to convert the value to hits-per-second OR by 30 to convert it to hits-per-minute.

So i'd write the string to include the time period as :

Hits per minute :

index=ib_dns_summary source="si-search-dns-requested-domain"FQDN="www.example.co.uk" OR FQDN ="example.co.uk" | eval events-from=strftime(info_min_time, "%Y-%d-%m %H:%M") | eval events-to=strftime(info_max_time, "%Y-%d-%m %H:%M") | eval Hits-per-minute=tonumber(COUNT)/30 | table FQDN, events-from, events-to, Hits-per-minute

Hits per second :

index=ib_dns_summary source="si-search-dns-requested-domain"FQDN="www.example.co.uk" OR FQDN ="example.co.uk" | eval events-from=strftime(info_min_time, "%Y-%d-%m %H:%M") | eval events-to=strftime(info_max_time, "%Y-%d-%m %H:%M") | eval Hits-per-second=tonumber(COUNT)/1800 | table FQDN, events-from, events-to, Hits-per-second

Sample output :

Sorry that the post was left unanswered for quite sometime. Hope this helps 

Best regards,