The query looks like:
sourcetype="DNS" NOT (dns_record_type="PTR") | rex mode=sed "s/(\d+)/./g" | rex field=_raw "Rcv\s+[\d.]+\s+[\d,a-zA-Z]+\s+[A-Z]+\s[[\d,\s,A-z]+]\s+[A-Z]+\s+." | eval domaindns = substr(domaindns, 1, len(domaindns)-1)|stats count by domaindns | rename domaindns as value | fields - count | join value [search sourcetype="CTI" type="domain" | stats count by value| fields - count]
... View more