Usually bad or suspicious behaviour starts on one client.
Like a lot of queries to domains that are from a domain generation algorithm and fail more often compared to other clients queries.
Or you are looking for the requests of one client and don't want to see everything else.
It would be nice to not only be able to check for blocked /forwarded and the time range, but also say
"i only want to see query from my smart tv for an a-record that were answered with nxdomain"