This query uses a compound query to create a temporary DNS cache over the given time window, and then reference netflow traffic to it, creating the ability to sum byte counts from netflow by DNS name.

  tag=dns json Question.Hdr.Name Question.A
  | require A
  | unique Name A
  | table

tag=netflow netflow Src Dst Bytes
  | lookup -r @dnsCache Src A Name
  | lookup -r @dnsCache Dst A Name
  | require Name
  | stats sum(Bytes) by Name
  | table Name sum


Below is a pie chart with sample output of this query:


Visit to view an archive of our previous Query of the Week posts.