Forum Discussion

Copper Contributor

Jan 29, 2018

Solved

OMS DNS Analytics solution discrepancy

I have configured custom OMS workspace with the DNS Analytics solution enabled. For testing purposes I have generated 43K+ random name resolution queries on test VM against the DNS server that is rep...

azure monitor

OMS

Vedran Matica
Jan 30, 2018
Noa,

I figured it out in the meantime. Random domain name lookup queries were generated with characters which are invalid according to the DNS RFC specification. After excluding invalid characters from lookups, I am getting results which are aligned with the testing scenario.

Kind regards,

Vedran

Noa Kuperberg

Microsoft

Jan 29, 2018

Hi,

Possible reasons could be:

1. Ingestion time - it usually takes around 10 minutes for events to be ingested and searchable)

2. Client capping - the UI client caps the results at 10K. The API will return the full set of results.

3. Query - by default, queries are not sorted by anything. When you review your query results, bare that in mind.

Noa

Vedran Matica
Copper Contributor
Jan 29, 2018
Noa,

I ran Log Analytics searches few hours after generating random name resolution lookup queries so data should have been ingested by then.

Besides that, the number of results is far from the UI limit.

Vedran
- Noa Kuperberg
  Microsoft
  Jan 30, 2018
  Hi Verdan, in that case I would contact support to review what went wrong.
  
  Noa
  - Vedran Matica
    Copper Contributor
    Jan 30, 2018
    Noa,
    
    I figured it out in the meantime. Random domain name lookup queries were generated with characters which are invalid according to the DNS RFC specification. After excluding invalid characters from lookups, I am getting results which are aligned with the testing scenario.
    
    Kind regards,
    
    Vedran