SOLVED
Home

OMS DNS Analytics solution discrepancy

%3CLINGO-SUB%20id%3D%22lingo-sub-149840%22%20slang%3D%22en-US%22%3EOMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149840%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20configured%20custom%20OMS%20workspace%20with%20the%20DNS%20Analytics%20solution%20enabled.%20For%20testing%20purposes%20I%20have%20generated%2043K%2B%20random%20name%20resolution%20queries%20on%20test%20VM%20against%20the%20DNS%20server%20that%20is%20reporting%20to%20OMS.%20When%20searching%20collected%20data%26nbsp%3Bof%20the%20DnsEvents%20type%2C%20I%20see%20that%20only%20handful%20of%20queries%20originating%20from%20the%20test%20VM%20are%20captured%20on%20the%20OMS%20side.%20There%20is%20great%20discrepancy%20in%20what%20I%20expect%20to%20be%20captured%20and%20what%20I%20see%20in%20Log%20Analytics%20search%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-149840%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDNS%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOMS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152455%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152455%22%20slang%3D%22en-US%22%3E%3CP%3EGlad%20to%20help%2C%20but%20actually%20there%20is%20nothing%20to%20share.%20I%20didn't%20come%20up%20with%20particularly%20special%20Log%20Analytics%20Query%20Language%20query.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20made%20amendments%20on%20the%20DNS%20client%20side%20(device%20generating%20random%20DNS%20queries%20for%20testing%20purposes)%2C%20meaning%20that%20random%20DNS%20queries%20were%20modified%20to%20exclude%20characters%20which%20are%20invalid%20per%20DNS%20RFC.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152427%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152427%22%20slang%3D%22en-US%22%3EGlad%20to%20hear%20that%2C%20we%20learned%20something%20new.%3CBR%20%2F%3EIf%20you'd%20like%20to%20post%20your%20query%20here%20we%20can%20also%20use%20it%20to%20add%20a%20documentation%20article%20or%20note%20on%20that%20use%20case.%3CBR%20%2F%3EThanks%20for%20sharing%20Vedran!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-150255%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-150255%22%20slang%3D%22en-US%22%3E%3CP%3ENoa%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20figured%20it%20out%20in%20the%20meantime.%20Random%20domain%20name%20lookup%20queries%20were%20generated%20with%20characters%20which%20are%20invalid%20according%20to%26nbsp%3Bthe%20DNS%20RFC%20specification.%20After%20excluding%20invalid%20characters%20from%20lookups%2C%20I%20am%20getting%20results%20which%20are%20aligned%20with%20the%20testing%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKind%20regards%2C%3C%2FP%3E%0A%3CP%3EVedran%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-150254%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-150254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Verdan%2C%20in%20that%20case%20I%20would%20contact%20support%20to%20review%20what%20went%20wrong.%3C%2FP%3E%0A%3CP%3ENoa%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149882%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149882%22%20slang%3D%22en-US%22%3E%3CP%3ENoa%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20ran%20Log%20Analytics%20searches%20few%20hours%20after%20generating%20random%20name%20resolution%20lookup%20queries%20so%20data%20should%20have%20been%20ingested%20by%20then.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBesides%20that%2C%20the%20number%20of%20results%20is%20far%20from%20the%20UI%20limit.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EVedran%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149878%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20DNS%20Analytics%20solution%20discrepancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149878%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EPossible%20reasons%20could%20be%3A%3C%2FP%3E%0A%3CP%3E1.%20Ingestion%20time%20-%20it%20usually%20takes%20around%2010%20minutes%20for%20events%20to%20be%20ingested%20and%20searchable)%3C%2FP%3E%0A%3CP%3E2.%20Client%20capping%20-%20the%20UI%20client%20caps%20the%20results%20at%2010K.%20The%20%3CA%20href%3D%22https%3A%2F%2Fdev.loganalytics.io%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAPI%3C%2FA%3E%26nbsp%3Bwill%20return%20the%20full%20set%20of%20results.%3C%2FP%3E%0A%3CP%3E3.%20Query%20-%20by%20default%2C%20queries%20are%20not%20sorted%20by%20anything.%20When%20you%20review%20your%20query%20results%2C%20bare%20that%20in%20mind.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENoa%3C%2FP%3E%3C%2FLINGO-BODY%3E
Vedran Matica
New Contributor

I have configured custom OMS workspace with the DNS Analytics solution enabled. For testing purposes I have generated 43K+ random name resolution queries on test VM against the DNS server that is reporting to OMS. When searching collected data of the DnsEvents type, I see that only handful of queries originating from the test VM are captured on the OMS side. There is great discrepancy in what I expect to be captured and what I see in Log Analytics search results.

6 Replies

Hi,

Possible reasons could be:

1. Ingestion time - it usually takes around 10 minutes for events to be ingested and searchable)

2. Client capping - the UI client caps the results at 10K. The API will return the full set of results.

3. Query - by default, queries are not sorted by anything. When you review your query results, bare that in mind.

 

Noa

Noa,

 

I ran Log Analytics searches few hours after generating random name resolution lookup queries so data should have been ingested by then.

 

Besides that, the number of results is far from the UI limit.

 

Vedran

Hi Verdan, in that case I would contact support to review what went wrong.

Noa

Solution

Noa,

 

I figured it out in the meantime. Random domain name lookup queries were generated with characters which are invalid according to the DNS RFC specification. After excluding invalid characters from lookups, I am getting results which are aligned with the testing scenario.

 

Kind regards,

Vedran

Glad to hear that, we learned something new.
If you'd like to post your query here we can also use it to add a documentation article or note on that use case.
Thanks for sharing Vedran!

Glad to help, but actually there is nothing to share. I didn't come up with particularly special Log Analytics Query Language query.

 

I made amendments on the DNS client side (device generating random DNS queries for testing purposes), meaning that random DNS queries were modified to exclude characters which are invalid per DNS RFC. 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies