I have a simple need right now that I thought this app would help me with. How would I take firewall logs for example and on-the-fly run a Whois command on an IP address to output the Org Name to a report or table?
Roughly, something along these lines:
index=firewall | whois src_ip | table org_name
Or something simple like that but I do not see this app will do this. Will/Can this app do this? I need on-the-fly whois lookups to output fields to a table.
You can use the scripted lookup commands provided with the Network Toolkit app to do this. See https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups
Anybody know of another app that may do this?
You ever get this to work?
Sorry for the delay. I assumed that I would get email notifications on my post. And I was slightly wrong above.....I want to take firewall traffic and do the Whois lookups in a search for the destination address. Your examples are locked to "host" which returns zero results as it's a RFC1918 address.
I've tried doing some workarounds such as:
... | eval host=dest_ip | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
All Whois fields are empty. I'm just not getting the logic correct to do what I need.
Same for me, I need exactly the same information you need, but the lookup command always returns empty fields.
How did you managed this issue?
Also, when I run the whois_lookup.py manually I get this error:
root@splunk1:/opt/splunk/etc/apps/network_tools/bin# python whois_lookup.py 22.214.171.124
Traceback (most recent call last):
File "whois_lookup.py", line 7, in
from network_tools_app import whois
File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/init.py", line 12, in
import splunk.appserver.mrsparkle.lib.util as util
ImportError: No module named splunk.appserver.mrsparkle.lib.util
@tdlr: that's weird. What kind of Splunk install are you running this on (platform, heavy forwarder/lightweight forwarder/universal forwarder/search head/etc)?
This is Ubuntu Server 18.04.2 LTS. I'm waiting for new servers so this is one system running all Splunk functions.