Solved: Top DNS queries from DNS logs

tevgey23 · ‎08-15-2012

Hello,

I wanted to know what would be the best way to see the top 20 FQDN coming from DNS

To get to the results below I had to run this command

index="MyDNSlog" sourcetype=dns | rex mode=sed "s/\(\d+\)/./g" 

8/15/2012 10:27:11 AM 08E8 PACKET  000000000443D750 UDP Snd 192.168.44.2     0f93 R Q [8085 A DR  NOERROR] A      .google.com.

host=MYDNS Options| sourcetype=dns Options| source=C:\dir\dns444.log Options| timeendpos=22 Options

How can I further extract the domain name in order to view top 20 DNS queries

Thank you

kristian_kolb · ‎08-15-2012

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎08-15-2012

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

tevgey23 · ‎08-15-2012

Thank you very much. That works

Top DNS queries from DNS logs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!