Solved: Re: CentralOps Whois Technology Add-On: How to cha...

jairjr · ‎04-20-2017

When trying an ip without a domain, like for example: 173.xxx.xxx.129, I get: resolved_domain 173.xxx.xxx.129.

How can I set it to bring me another field instead when no domain is found?

doksu · ‎04-20-2017

The app doesn't currently support IP lookups, however I've raised a feature request on your behalf (https://github.com/doksu/TA-centralops/issues/4), which I'll endeavour to have implemented next week. Once complete I'll post an update here.

View solution in original post

doksu · ‎04-27-2017

Thanks for the question jairjr. As per my previous answer, I've now added a new feature to support ip whois queries. Please see https://splunkbase.splunk.com/app/3506/

Also, if you need autonomous system (ASN) information, be sure to check out my asngen app: https://splunkbase.splunk.com/app/3531/

doksu · ‎05-01-2017

Hi jairjr, could you please accept this answer?

doksu · ‎04-20-2017

The app doesn't currently support IP lookups, however I've raised a feature request on your behalf (https://github.com/doksu/TA-centralops/issues/4), which I'll endeavour to have implemented next week. Once complete I'll post an update here.

jairjr · ‎04-20-2017

Got it, thank you for the quick response.

doksu · ‎04-27-2017

As promised, I've implemented this new feature.

jairjr · ‎04-28-2017

Thank you! Do you have idea why some IPs just bring me the field resolved_domain?

doksu · ‎05-01-2017

Do you get a response if you use the 'whois' command to query that IP from your local machine? The information presented in the app comes from https://centralops.net/co/domaindossier.aspx, so if that site doesn't return any results for an IP, you'll just get a 'resolved_domain' field in the app.

CentralOps Whois Technology Add-On: How to change default output?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?