We wish to have a search string to get hits per domain per hour (or minute or second)?

I have found the string below regarding hits per specific domain. How to add to this hits per hour?


index=ib_dns_summary report=si_dns_requested_domain display_name=”External” FQDN="" OR FQDN =""| rex "^(?:[^\.\n]*\.){5}(?P<DOMAINNAME>\w+\.\w+)" |stats sum(COUNT) as FQDN_TOTAL by FQDN, DOMAINNAME| sort DOMAINNAME | stats sum(FQDN_TOTAL) as "TOTAL HITS" by DOMAINNAME


Thanks to all,

Re: search string to find domain hits per minute over a certain time range.

Hello alonk,


The predefined report that you're using here is configured to run at every 30th minute from 4
through 59. The data would include the first 30 minutes of the previous 1 hour. So apparently the COUNT you're looking at is the total # of times that the FQDN was queried for in the last 1 hour's first 30 minutes. I don't think you would need to do any changes to that raw information, unless you'd like to divide it by 1800 to convert the value to hits-per-second OR by 30 to convert it to hits-per-minute.


So i'd write the string to include the time period as :


Hits per minute :


index=ib_dns_summary source="si-search-dns-requested-domain"FQDN="" OR FQDN ="" | eval events-from=strftime(info_min_time, "%Y-%d-%m %H:%M") | eval events-to=strftime(info_max_time, "%Y-%d-%m %H:%M") | eval Hits-per-minute=tonumber(COUNT)/30 | table FQDN, events-from, events-to, Hits-per-minute

Hits per second :


index=ib_dns_summary source="si-search-dns-requested-domain"FQDN="" OR FQDN ="" | eval events-from=strftime(info_min_time, "%Y-%d-%m %H:%M") | eval events-to=strftime(info_max_time, "%Y-%d-%m %H:%M") | eval Hits-per-second=tonumber(COUNT)/1800 | table FQDN, events-from, events-to, Hits-per-second

Sample output :




Sorry that the post was left unanswered for quite sometime. Hope this helps 


Best regards,


