All Apps and Add-ons

Network Toolkit - Lookup whois - How to use

Niffchen
Observer

Hello,

I am transferring all my network and some firewall data to splunk.
I try to analyse part of my firewall traffic of an IoT network. Therefore I am trying to transfer the source IPs which are communicating with my IoT devices to user friendly data.

This is why I tried to use the „Network Toolkit“ with its lookup called „whois“. But I don‘t get it working.
Combining my data with the source IPs - called src_ip - with „whois“ is not producing any data. I only get empty values.

search request like:

... | lookup whois host as src_ip OUTPUT ...

Is this usage correct? I cannot produce any different output than empty output.
Do you have any suggestions?

Regards,

Jens

Labels (1)
0 Karma

ownion
Explorer

Same problem for me, I need to populate some alert with the info generated by the whois command, but considering that the command " | whois xxx.xxx.xxx.xxx" must be inserted as the first command, I opted for the lookup whois, but when using:

... | lookup whois host as <my_field_containing_ip_addr> ...

 it show only blank columns, this makes me thinking that the "whois" lookup is empty, so with

| inputlookup whois

the result is empty...

Hoping someone will help with this.

0 Karma