All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Access Virus Total permalink with Splunk

da_la97
Engager
‎01-03-2020 02:14 AM

I am interested in developing an app where Virus total URL scan results will be displayed (rather than the permalink) in Splunk. To be more specific access the data in the Virus Total Permalink and in the permalink it says under "scans" "detected" if it is True output clean site else else Not clean.

I have generated the code for checking if "scans" "detected" is True/False. But I do not know how to access data in Virus total permalink through splunk

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tomaszdziwok
Path Finder
‎01-03-2020 03:00 AM

With "VirusTotal Malware Lookup for Splunk", this should be possible.
While in its default mode the | virustotal command outputs structured fields (columns), you can also run the command in "raw" mode - where all the output sent by VirusTotal is passed back to Splunk in json format. From there it should be possible to use | spath or a similar Splunk command to post-process the json and extract relevant fields.

Default usage:
alt text

Raw json output mode:
alt text

(please excuse the small images - it may be worth opening them in a different tab to better see content)

Unfortunately, any additional data that's not included in the json is currently not obtainable by the TA.
Hopefully this helps.
Please reach out with any further questions.

Thanks,
Tomasz

View solution in original post

Preview file
169 KB
Preview file
97 KB
Reply
Solved! Jump to solution
Solution

tomaszdziwok
Path Finder
‎01-03-2020 03:00 AM

With "VirusTotal Malware Lookup for Splunk", this should be possible.
While in its default mode the | virustotal command outputs structured fields (columns), you can also run the command in "raw" mode - where all the output sent by VirusTotal is passed back to Splunk in json format. From there it should be possible to use | spath or a similar Splunk command to post-process the json and extract relevant fields.

Default usage:
alt text

Raw json output mode:
alt text

(please excuse the small images - it may be worth opening them in a different tab to better see content)

Unfortunately, any additional data that's not included in the json is currently not obtainable by the TA.
Hopefully this helps.
Please reach out with any further questions.

Thanks,
Tomasz

Preview file
169 KB
Preview file
97 KB
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...