Solved: Re: Top DNS queries from DNS logs

tevgey23 · ‎08-15-2012

Hello,

I wanted to know what would be the best way to see the top 20 FQDN coming from DNS

To get to the results below I had to run this command

index="MyDNSlog" sourcetype=dns | rex mode=sed "s/\(\d+\)/./g" 

8/15/2012 10:27:11 AM 08E8 PACKET  000000000443D750 UDP Snd 192.168.44.2     0f93 R Q [8085 A DR  NOERROR] A      .google.com.

host=MYDNS Options| sourcetype=dns Options| source=C:\dir\dns444.log Options| timeendpos=22 Options

How can I further extract the domain name in order to view top 20 DNS queries

Thank you

kristian_kolb · ‎08-15-2012

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎08-15-2012

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

tevgey23 · ‎08-15-2012

Thank you very much. That works

Top DNS queries from DNS logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation