faststeak · June 12, 2018 17:54
diff --git a/gistfile1.txt b/gistfile1.txt
 | tstats summariesonly=true allow_old_summaries=true values(DNS.answer) as ip_query from datamodel=Network_Resolution.DNS where "DNS.message_type"=RESPONSE "DNS.record_type"=A* NOT DNS.answer="unknown" AND NOT DNS.answer="127.*" AND NOT DNS.answer="*:*" AND NOT DNS.query="*._msdcs.*" by "DNS.query"
    | rename DNS.query as dns 
    | lookup cim_corporate_web_domain_lookup domain as dns output domain as found 
    | search found=*
    | eval dns=lower(dns)
	\| tstats summariesonly=true allow_old_summaries=true values(DNS.answer) as ip_query from datamodel=Network_Resolution.DNS where "DNS.message_type"=RESPONSE "DNS.record_type"=A* NOT DNS.answer="unknown" AND NOT DNS.answer="127." AND NOT DNS.answer=":" AND NOT DNS.query="._msdcs.*" by "DNS.query"
	\| rename DNS.query as dns
	\| lookup cim_corporate_web_domain_lookup domain as dns output domain as found
	\| search found=*
	\| eval dns=lower(dns)