Getting Data In

Top DNS queries from DNS logs

Explorer

Hello,

I wanted to know what would be the best way to see the top 20 FQDN coming from DNS

To get to the results below I had to run this command

index="MyDNSlog" sourcetype=dns | rex mode=sed "s/\(\d+\)/./g" 

8/15/2012 10:27:11 AM 08E8 PACKET  000000000443D750 UDP Snd 192.168.44.2     0f93 R Q [8085 A DR  NOERROR] A      .google.com.

host=MYDNS Options| sourcetype=dns Options| source=C:\dir\dns444.log Options| timeendpos=22 Options

How can I further extract the domain name in order to view top 20 DNS queries

Thank you

Tags (1)
0 Karma
1 Solution

Ultra Champion

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

View solution in original post

0 Karma

Ultra Champion

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

View solution in original post

0 Karma

Explorer

Thank you very much. That works

0 Karma