I've installed the Splunk Add-on for Infoblox to the search head, index, and universal forwarder in one of our environments. Just playing around with the data it provides I decided to look at the built-in panels. One is a simple search for the top 10 source IPs over the last 24 hours:
index=test sourcetype="infoblox:dns" earliest=-1d client |top 10 src_ip|table src_ip count |rename src_ip AS "Client IP" count AS "Requests"
Problem is that "src_ip" isn't a field in the data. It seems that it should be replaced with "dns_request_client_ip". We're not using Infoblox for DHCP but I see that this add-on does have a transform, I believe, for that sourcetype, infoblox:dhcp...just never makes it to infoblox:dns?
I believe this add-on may eventually tie into an implementation of the security app - I don't want change it much for that reason, and I'm thinking the built-in panel should work?
... View more