Literal string not working with TA-WebTools

All Apps and Add-ons

Using the following search strangely doesn't return the same result as it does in using postman, browser, etc. Essentially, we've got a list of IPs joined together that I'm attempting to pass to the shodan API which the "net:" search filter supports. The list of IPs will looks like so: "1.2.3.4,1.1.1.1,8.8.8.8" etc

(yes, the API key is included in the curl but is removed for the sake of this question)

index=test_index
| dedup src_ip
| stats values(src_ip) as ip_list
| eval ip_list = mvjoin(ip_list, ",")
| curl method=get uri="https://api.shodan.io/shodan/host/search?query=net:".ip_list."&fields=ip_str,port,timestamp,vulns&minify=false&language=en

However, we get 0 matches when the response body is returned:

{
"matches": [],
"total": 0
}

Example query that returns a response: api.shodan.io/shodan/host/search?query=net:1.1.1.1,8.8.8.8,9.9.9.9&fields=ip_str,port,timestamp,vuln...

Is the literal string expression (".ip_list.") not supported by TA-WebTools?

Thanks!

Get Updates on the Splunk Community!

Literal string not working with TA-WebTools

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Literal string not working with TA-WebTools

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions