508 
0
Goal: Create a reporting dashboard that allows the user to enter a subdomain in a text field and return the Top N FQDNs after removing any queries that returned NXDOMAIN - basically what are the top successful lookups for a subdomain. (We're trying to eliminate some of our 14(!!) domain suffixes, so we need to know if there are valid requests and not just those who can't be convinced to use FQDNs.)
I was able to modify the DNS Top Requested Domain Names dashboard to get the subdomain filter I want (see below) and it looks like the DNS Top NXDOMAIN / NOERROR dashboard might have what I want, but I'm not sure how to merge the two.
index=ib_dns_summary report=si_dns_requested_domain
(orig_host="*")
*
| where FQDN like "%.corp.internal"
| stats sum(COUNT) as FQDN_TOTAL by FQDN
| sort -FQDN_TOTAL
| head 100
| eventstats sum(FQDN_TOTAL) as TOTAL
| eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1)
| eval PHOST=FQDN+" ("+PERCENT+"%)"
| rename FQDN_TOTAL as Count, PHOST as "Domain Name"
| fields "Domain Name", Count | noop
Here's what the dashboard looks like, with one of the domain's data.
This is system-created dashboard for NXDOMAINs
index=ib_dns_summary report=si_top_nxdomain_query
(orig_host="*")
*
| stats sum(NXDOMAIN) as NXD_COUNT, sum(NXRRSET) as NXRR_COUNT by DOMAIN_NAME
| eval NXD_NXRR=NXD_COUNT + NXRR_COUNT
| eventstats sum(NXD_NXRR) as TOTAL1
| eventstats sum(NXD_COUNT) as TOTAL2
| eventstats sum(NXRR_COUNT) as TOTAL3
| eval PERCENT1=round(NXD_NXRR*100/TOTAL1,1)
| eval PERCENT2=round(NXD_COUNT*100/TOTAL2,1)
| eval PERCENT3=round(NXRR_COUNT*100/TOTAL3,1)
| sort -NXD_COUNT
| head 10
| eval PDOMNAME1=DOMAIN_NAME+" ("+PERCENT1+"%)"
| eval PDOMNAME2=DOMAIN_NAME+" ("+PERCENT2+"%)"
| eval PDOMNAME3=DOMAIN_NAME+" ("+PERCENT3+"%)"
| rename PDOMNAME1 as "Domain Name", NXD_COUNT as Queries
| where Queries != 0
| fields "Domain Name", Queries | noop
