I am transferring all my network and some firewall data to splunk. I try to analyse part of my firewall traffic of an IoT network. Therefore I am trying to transfer the source IPs which are communicating with my IoT devices to user friendly data.
This is why I tried to use the „Network Toolkit“ with its lookup called „whois“. But I don‘t get it working. Combining my data with the source IPs - called src_ip - with „whois“ is not producing any data. I only get empty values.
search request like:
... | lookup whois host as src_ip OUTPUT ...
Is this usage correct? I cannot produce any different output than empty output. Do you have any suggestions?
Same problem for me, I need to populate some alert with the info generated by the whois command, but considering that the command " | whois xxx.xxx.xxx.xxx" must be inserted as the first command, I opted for the lookup whois, but when using:
... | lookup whois host as <my_field_containing_ip_addr> ...
it show only blank columns, this makes me thinking that the "whois" lookup is empty, so with