I have a simple need right now that I thought this app would help me with. How would I take firewall logs for example and on-the-fly run a Whois command on an IP address to output the Org Name to a report or table?
Roughly, something along these lines:
index=firewall | whois src_ip | table org_name
Or something simple like that but I do not see this app will do this. Will/Can this app do this? I need on-the-fly whois lookups to output fields to a table.
Sorry for the delay. I assumed that I would get email notifications on my post. And I was slightly wrong above.....I want to take firewall traffic and do the Whois lookups in a search for the destination address. Your examples are locked to "host" which returns zero results as it's a RFC1918 address.
I've tried doing some workarounds such as:
... | eval host=dest_ip | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
All Whois fields are empty. I'm just not getting the logic correct to do what I need.
Also, when I run the whois_lookup.py manually I get this error:
root@splunk1:/opt/splunk/etc/apps/network_tools/bin# python whois_lookup.py 220.127.116.11
Traceback (most recent call last):
File "whois_lookup.py", line 7, in
from network_tools_app import whois
File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/init.py", line 12, in
import splunk.appserver.mrsparkle.lib.util as util
ImportError: No module named splunk.appserver.mrsparkle.lib.util