I am looking to pull all domains from dns logs and get a count of how many unique sub-domains that were requested of that domain.
This is what I have so far. I might be going in the wrong direction so if I need to wipe and retry I ok with that.
index=dns | rex field=named_domain "(? ([^.]+.)?[^.]+$)" | stats count by named_domain | uniq | table domain, count
My problem is that the count is not the count of the unique sub-domains but instead of I am getting all sub-domains grouped with the domain field.
... View more