I am transferring all my network and some firewall data to splunk. I try to analyse part of my firewall traffic of an IoT network. Therefore I am trying to transfer the source IPs which are communicating with my IoT devices to user friendly data.
This is why I tried to use the „Network Toolkit“ with its lookup called „whois“. But I don‘t get it working. Combining my data with the source IPs - called src_ip - with „whois“ is not producing any data. I only get empty values.
search request like:
... | lookup whois host as src_ip OUTPUT ...
Is this usage correct? I cannot produce any different output than empty output. Do you have any suggestions?
Same problem for me, I need to populate some alert with the info generated by the whois command, but considering that the command " | whois xxx.xxx.xxx.xxx" must be inserted as the first command, I opted for the lookup whois, but when using:
... | lookup whois host as <my_field_containing_ip_addr> ...
it show only blank columns, this makes me thinking that the "whois" lookup is empty, so with
We were having the same problem and discovered that we was getting the below errors in the search.log (Job-->Inpect Job->Search job properties - search.log) even though there was no indication on an issue. We are running Splunk Enterprise version 8.1.2 which defaults to python3. We were able to get the lookups working by setting them to run as python2.
We added a custom /opt/splunk/etc/apps/network_tools/local/transforms.conf.