This query uses a compound query to create a temporary DNS cache over the given time window, and then reference netflow traffic to it, creating the ability to sum byte counts from netflow by DNS name.
@dnsCache{ tag=dns json Question.Hdr.Name Question.A | require A | unique Name A | table};tag=netflow netflow Src Dst Bytes | lookup -r @dnsCache Src A Name | lookup -r @dnsCache Dst A Name | require Name | stats sum(Bytes) by Name | table Name sum
Below is a pie chart with sample output of this query:
Visit gravwell.io/query to view an archive of our previous Query of the Week posts.