I get the following error when performing a MAC Address OUI lookup.
"External search command 'ouilookup' returned error code 1. "
I've looked up the MAC address on another site and it returns an answer.
I did not see any errors in splunkd.log.
What could be wrong? Where else can I look for clues?
Interesting... I do not get that error message. If I type in 00, this is what I get:
What happens when you go to App: Forensic Investigator --> "Splunk" --> "Search".... and type in the following:
| script ouilookup __EXECUTE__ 00
Note: Make sure you are in the Forensic Investigator program. Make sure you lead that command with a pipe.
Thanks for quick response. I still get error when entering '00'. Even the search returns same error.
I am in App: Forensic Investigator context.
I have screenshot but not sure how to add to my comment.
Appreciate your help.
No problem. Is your Splunk instance running on Windows or Linux?
What do you get when you run the following command via the command line? (Assuming Linux install)
/opt/splunk/bin/python /opt/splunk/etc/apps/ForensicInvestigator/bin/ouilookup.py __EXECUTE__ 00096B
I get the following:
answer "00096B<,>IBM Corp"
Here is the output of your command:
[root@myserver bin]# python /var/splunk/etc/apps/ForensicInvestigator/bin/ouilookup.py EXECUTE 000
Traceback (most recent call last):
File "/var/splunk/etc/apps/ForensicInvestigator/bin/ouilookup.py", line 7, in
ImportError: No module named splunk.Intersplunk
Wow. As far as I know splunk.Intersplunk is part of the base install.
Can you run any of the other scripts? URL decode uses the same basic construct as the MAC OUI lookup. Same with the base64 script. Can you use either of those ok?
Email me via the "Help" -> "Send Feedback" link within the app