All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TA-maclookup fails when "No Vendor Exists" for a MAC address

mark_wymer
Path Finder
‎03-08-2019 02:00 AM

Hi,

Similar to a previous question, under certain circumstances the maclookup fails with an error message:

command="maclookup", : failed to use the netaddr module!

After a bit of digging (and a reference in a previous question) this appears to happen when a MAC address is not found in any lists online or offline.

Fails:

| makeresults | eval src_mac="0A:58:0A:F4:01:01" | maclookup

Works:

| makeresults | eval src_mac="00:50:56:AB:64:11" | maclookup

In these instances, shouldn't the script return something like "Unknown Vendor"?

Regards,
Mark.

0 Karma
Reply

nickhills
Ultra Champion
‎03-08-2019 06:40 AM

Hello, I added the tag for "Add-On for MAC lookup" to you question. This means that the author of the app should be notified of your question.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎03-11-2019 03:58 AM

You could also address this issue, by adding something like the below on your local/props.conf to force unknown to vendor field, so your command [assuming depends on vendor] may work.

[sourcetypeof_the_addon]
EVAL-vendor=coalesce(vendor,"Unknown")
0 Karma
Reply

mark_wymer
Path Finder
‎03-11-2019 04:47 AM

Hi Lakshman,

Thanks for the response - I'll try it out.

I suspect, though, that it's the actual python script that can't handle an 'unknown' response from macvendors.co

If you have a number of mac addresses to look up, the 1st one that 'fails' causes the entire search string to stop.

Regards,
Mark.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...