Count total DNS queries

Marko_Todoric · February 28, 2019, 10:37am

Hello everyone,

I'm trying to figure out the best way to count total DNS Queries per hour or day. I can easily adjust period. But what would be the best way to count this?
Packetbeat is sending data to elasticsearch and i use kibana to visualize.
So far I've created a visualization like this:

Metrics
Y-Axis Unique count of _id

Buckets
X-Axis @timestamp per hour

At first it did the trick and then started displaying errors like "10 of 21 shards failed" with " No results found".
I could also use:

Metrics
Y-Axis Count

Buckets
X-Axis @timestamp per hour

That would display me the results but would that be correct way?
I tried counting the dns.id field but I've noticed that i have a lot of duplicate DNS ID's for different client_ip addresses so that is definitely not the correct way.
I could also count the client_ip's but that way i will not have a timestamp, instead it will just display top 5 IPs with number of hits.

So how am i to reach the most accurate data? Is my second example good enough?
I have a DNS that receives really large traffic, so i cannot manually count it to make sure

nickpeihl · February 28, 2019, 7:59pm

The answer might depend on which visualization you use. But a Line visualization with the X-Axis set to Date Histogram is how I might do this.

Setting Y-Axis to Count will count all documents in the index for time period. So I think that's what you want. Or you might try setting Unique Count on the dns.id field to get rid of the duplicates.

Marko_Todoric · February 28, 2019, 10:26pm

That is how i actually have it set. I just forgot to mention that Bucket with the X-Axis is set to Date Histogram. So that's definitely good! Nice to know, thanks!!

As for the other option, if i set it to Unique count dns.id, it will leave out duplicates, yes. But there are multiple different clients (queries from client_ip) that are using the same dns.id. So those will be ignored. Don't know why. So it will not display correct data. Just for the record, if i set it to unique count dns.id it will show approx 65k hits. If i set X Axis to Date Histogram and Y to count. It will show up as 180k hits. That seems more like accurate result.

system · March 28, 2019, 10:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Visualizing count differences Kibana	7	1226	October 24, 2019
Graphing Unique and Total Website Hits Kibana	7	1172	December 6, 2018
Vertical Bar Unique Count all counts = 1 Kibana	7	1079	April 11, 2021
Date histogram query; count values Elasticsearch	3	1166	June 8, 2018
Complex graphing Kibana	2	358	March 20, 2022

Count total DNS queries

Related topics