All Apps and Add-ons

Literal string not working with TA-WebTools

bcrypt
Explorer

Using the following search strangely doesn't return the same result as it does in using postman, browser, etc. Essentially, we've got a list of IPs joined together that I'm attempting to pass to the shodan API which the "net:" search filter supports. The list of IPs will looks like so: "1.2.3.4,1.1.1.1,8.8.8.8" etc

(yes, the API key is included in the curl but is removed for the sake of this question)

index=test_index 
| dedup src_ip
| stats values(src_ip) as ip_list
| eval ip_list = mvjoin(ip_list, ",")
| curl method=get uri="https://api.shodan.io/shodan/host/search?query=net:".ip_list."&fields=ip_str,port,timestamp,vulns&minify=false&language=en

However, we get 0 matches when the response body is returned:

{
"matches": [],
"total": 0
}

Example query that returns a response: api.shodan.io/shodan/host/search?query=net:1.1.1.1,8.8.8.8,9.9.9.9&fields=ip_str,port,timestamp,vuln...

Is the literal string expression (".ip_list.") not supported by TA-WebTools? 

Thanks!

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...