Skip to main content

DNS Query Monitoring Metrics

DNS Query Monitoring

uberAgent collects detailed information about DNS queries: the request, all responses, and the process from which the query originated.


  • Source type: uberAgentESA:Process:DnsQuery
  • Used in dashboards: Process DNS
  • Enabled through configuration setting: DnsMonitoring
  • Related configuration settings: n/a
  • Supported platform: all

List of Fields in the Raw Agent Data

Field Description Data type Unit Example
ProcName Process name. String svchost.exe
ProcGUID Process GUID. String 4b3e3686-7854-4d98-0023-1e0e617bf2e4
DnsRequest DNS query name. String
DnsResponse DNS query response. String
DnsResponseType DNS query response type (e.g.: A, AAAA, CNAME). String A
DnsEventCount Number of requests in the last interval. Number 1
DnsRisk52Chars Tests whether the DNS host name contains more than 52 chars. Number 1
DnsRisk27UniqueChars Tests whether the DNS host name contains more than 27 unique chars. Number 1
DnsRiskEmptyResponse Tests whether the response is either not available or empty (e.g., SOA). Number 1
DnsRiskTXTRecord Tests for the uncommon response type TXT. Number 1
DnsRiskHighEntropy Tests the DNS request for high entropy based on Shannon entropy. Number 1
DnsResponseStatus Dns response status. Empty if the query was successful. Any other value indicates an error. Number 9501

The fields DnsRequest, DnsResponse, and DnsResponseType may contain multiple values, separated by a semicolon ;.

List of Calculated Fields

Field Description Data type Unit Example Where available
TimestampMs _time * 1000. Number ms 1585913547467 Splunk data model


Your email address will not be published. Required fields are marked *