You can filter DNS query data using the filter menu or advanced filter command bar.
- Click the Text filter toggle to switch between the filter menu and text filter command bar.
- Click Add filter to select additional filter parameters.
For filters that accept input, once you have selected that filter, the input
field auto completes values as you begin to type:
- Time: Sets the data filter for the specified time
frame.
- You can specify whether you want date returned within the Last 10 minutes, Last 1 hour, Last 24 hours, Yesterday, Last 7 days, or a Custom time frame. By default, the DNS activity page returns all queries logged.
- When using Custom, select two dates on the calendar to
specify the time frame. You can also manually enter the date and
time in the Start and End fields. This can include
both the date and time, or only a date or only a time. If no
time is specified, results are returned from 00:00:00
(midnight).Note: If you are using keyboard navigation, you can use the Page Up and Page Down keys to navigate between months and years on the calendar.
- By default, DNS Insights tab is optimized to display data collected within the last 7 days. Changing the time frame doesn't modify this default period.
- Site: Sets the data filter for the specified site name.
- Source IP: Sets the data filter for the specified source IP address(es). Must be a valid IPv4 or IPv6 address, or list of IPv4 or IPv6 addresses.
- Query Name: Sets the data filter for the specified query name.
- Query Type: Sets the data filter for the specified query type.
- Response Code: Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
- Response IP: Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es).
- Policy: Sets the data filter for the specified policy name.
- Policy Action: Sets the data filter for the specified policy action (Trust, Block, Monitor, Redirect, None).
- Threat Type: Sets the data filter for the specified threat type (DGA, Tunneling).
- Threat Indicator: Sets the data filter for the specified threat indicator (Entropy, Advanced DGA, Host Size, Suspect DNS, Suspect TLD, Uncommon Rec, Unique Char, Vol Tunnel).
- Protocol: Sets the data filter for the specified query protocol (TCP, UDP).
- Namespace Name: Sets the data filter for the specified namespace.
- Latency: Sets the data filter for the specified latency range for DNS queries. Select None (0 - 1 ms), Low, (1- 20 ms), Medium (20 - 100 ms), High (100 and above ms), or Custom (in milliseconds). If you select Custom, FROM must be less than or equal to TO.
- User ID: Sets the data filter for the specified User ID that initiated the DNS query. The User ID information is only returned when you enable the Add identity information to queries option on a site. For more information, refer to Creating a site.
You can edit filter parameters by selecting the name of the parameter or delete filter parameters by clicking the x icon next to the filter.
- Time: Sets the data filter for the specified time
frame.
Filter commands
Use the following filter commands in the BlueCat Edge text filter command bar.
/time last10minutes | last1hour | last24hours | yesterday | last7days | Sets the data filter start date and time.
|
/time from MM-DD-YYYY HH:MM:SS to MM-DD-YYYY HH:MM:SS | Sets the data filter date and end time, exclusively. For example, if you set /time from 06-28-2023 10:10:10 to 06-28-2023 23:59:59, the filter returns data from June 28, 2023 at 10:10:10 to June 28, 2023 at 23:59:58. |
/site SiteName | Sets the data filter for the specified site name. |
/source SourceIp | Sets the data filter for the specified source IP address(es). Must be a valid IPv4 address or a list of IPv4 addresses. |
/querytype QueryType | Sets the data filter for the specified query type. |
/queryname QueryName | Sets the data filter for the specified query name. |
/responsecode ResponseCode | Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL). |
/responseip IPAddress | Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es). |
/policyname PolicyName | Sets the data filter for the specified policy name. |
/policyaction PolicyAction | Sets the data filter for the specified policy action (none, allow, block, monitor, redirect). |
/protocol QueryProtocol | Sets the data filter for the specified query protocol (TCP, UDP). |
/namespace QueryNamespace | Sets the data filter for the specified namespace. |
/threattype threat | Sets the data filter for the specified threat type (dga, tunneling). |
/threatind indicator | Sets the data filter for the specified threat indicator (entropy, advdga, hostSize, uniqueChar, uncommonRec, SusTLD, SusDNS, voltunnel). |
/latency none | Sets the data filter for the none (0 - 1 ms) latency range for DNS queries. |
/latency low | Sets the data filter for the low (1 - 20 ms) latency range for DNS queries. |
/latency medium | Sets the data filter for the medium (20 - 100 ms) latency range for DNS queries. |
/latency high | Sets the data filter for the medium (100 and above ms) latency range for DNS queries. |
/latency [from <int>] [to <int>] | Sets the data filter for the selected latency range for DNS queries. from must be less than or equal to to. |
/userId UserId | Sets the data filter for the specified User ID that initiated the DNS query. The User ID information is only returned when you enable the Add identity information to queries option on a site. For more information, refer to Creating a site. |
Filter command tips
- Enter times in 24-hour format (HH:MM:SS). All digits are required.
- Enter dates in MM-DD-YYYY format (03-15-2023). All digits are required.
- You can copy a list of filter values and paste them to text
filter command bar.
For example:
If you copy the following list for the /queryname filter command:
abc.com
meow.com
ham.com
Then paste them to the text filter command bar, the list of items will display as comma separated:
- If you enter the incorrect filter commands and values, a list of errors will display below the text filter command bar..
- Filters become active when you press Enter and remain active until you change the text in the command bar. Active filters are indicated by green text in the command bar.
- Click
to view the filter history. You can delete and pin items in the
list.Note: You can pin up to 10 items in the list.
- You can copy the URL of a filter by clicking , then right-clicking the filter > Copy Link Address. You can also copy the URL in the URL field of your browser.
- You can extend your search for more than one item at a time by
adding multiple items, separated by commas. For example:
/policyaction block, redirect
Note: The extended search is only available for the following filters:- /site
- /source
- /querytype
- /queryname
- /protocol
- /namespace
- /response
- /policyname
- /policyaction
- /threattype
- /threatind
- You can use one or more filters at a time on the command line. For example, you can combine filters for date/time, policy action, and site name.
- Using the BlueCat Edge dashboard, you can select
a time range on the graph to filter DNS queries in the DNS
Activity window. You can deselect one or more policy actions to
filter both by the selected time range, and the visible policy actions.