All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I run a whois search on multiple IPs with one command?

derekho55
Explorer
‎01-11-2019 01:47 PM

Using the Network Toolkit app, I want to run the whois command on multiple IPs with one command, such as reading from a lookup. Is that possible?

i.e. |whois IP1, IP2, IP3

Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎01-11-2019 02:20 PM

You use the whois lookup command that is included in the Network Toolkit app. See (https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups).

For example, your search may end with the lookup command like this:

... | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎01-11-2019 02:20 PM

You use the whois lookup command that is included in the Network Toolkit app. See (https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups).

For example, your search may end with the lookup command like this:

... | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
0 Karma
Reply
Solved! Jump to solution

alexkiss2097
New Member
‎01-09-2020 08:28 AM

Hi Luke,

I'm trying to use the lookup as you have it here, but all of those fields come out blank. The only fields that return anything are _raw and host. Additionally if I do | table * then contact.address contact.email contact.name contact.phone all return with the correct results, but not other fields from the whois lookup populate. Is there something I am doing wrong?

0 Karma
Reply
Solved! Jump to solution

robert_miller
Path Finder
‎04-23-2020 02:07 PM

I also can't get this to work. Hopefully, someone has a solution.

0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎03-10-2020 10:52 AM

It happens the same to me too.
Could someone correct it? please!

0 Karma
Reply
Solved! Jump to solution

ericnewman
Explorer
‎05-25-2021 01:30 PM

We were having the same problem and discovered that we was getting the below errors in the search.log (Job-->Inpect Job->Search job properties - search.log) even though there was no indication on an issue.  We are running Splunk Enterprise version 8.1.2 which defaults to python3.  We were able to get the lookups working by setting them to run as python2. 

 

We added a custom /opt/splunk/etc/apps/network_tools/local/transforms.conf.

 

[whois]
python.version = python2

[nslookup]
python.version = python2

[traceroute]
python.version = python2

[ping]
python.version = python2

[portscan]
python.version = python2

 

Example Errors:

 

05-25-2021 15:14:39.784 INFO  PreviewExecutor - Preview Enforcing initialization done
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':  Exception in thread ping_lookup:
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':  Traceback (most recent call last):
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/lib/python3.7/threading.py", line 926, in _bootstrap_inner
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      self.run()
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/lib/python3.7/threading.py", line 870, in run
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      self._target(*self._args, **self._kwargs)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/custom_lookup.py", line 253, in do_lookup
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      self.execute_lookup(result, w, fieldnames)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/custom_lookup.py", line 210, in execute_lookup
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      output = self.do_lookup(**keyword_arguments)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/whois_lookup.py", line 55, in do_lookup
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      index = get_default_index()
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/__init__.py", line 133, in get_default_index
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      app_config = get_app_config(session_key)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/__init__.py", line 106, in get_app_config
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      conf = ConfigParser.SafeConfigParser()
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':  AttributeError: type object 'ConfigParser' has no attribute 'SafeConfigParser'
05-25-2021 15:14:40.270 INFO  DispatchExecutor - END OPEN: Processor=noop

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...