Solved: Top DNS queries from DNS logs

tevgey23 · ‎08-15-2012

Hello,

I wanted to know what would be the best way to see the top 20 FQDN coming from DNS

To get to the results below I had to run this command

index="MyDNSlog" sourcetype=dns | rex mode=sed "s/\(\d+\)/./g" 

8/15/2012 10:27:11 AM 08E8 PACKET  000000000443D750 UDP Snd 192.168.44.2     0f93 R Q [8085 A DR  NOERROR] A      .google.com.

host=MYDNS Options| sourcetype=dns Options| source=C:\dir\dns444.log Options| timeendpos=22 Options

How can I further extract the domain name in order to view top 20 DNS queries

Thank you

kristian_kolb · ‎08-15-2012

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎08-15-2012

If you want the google.com or amazon.com or dummy.domain.here at the end of the event, something like this should do;

...| rex "\s+\.(?<domain>.+)\.$" | top 20 domain

hope this helps,

Kristian

tevgey23 · ‎08-15-2012

Thank you very much. That works

Top DNS queries from DNS logs

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Top DNS queries from DNS logs

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...