All Apps and Add-ons

Trying to do a run-time whois just to pull the Org Name

tdlr
Engager

I have a simple need right now that I thought this app would help me with. How would I take firewall logs for example and on-the-fly run a Whois command on an IP address to output the Org Name to a report or table?

Roughly, something along these lines:

index=firewall | whois src_ip | table org_name

Or something simple like that but I do not see this app will do this. Will/Can this app do this? I need on-the-fly whois lookups to output fields to a table.

Tags (2)
0 Karma

LukeMurphey
Champion

You can use the scripted lookup commands provided with the Network Toolkit app to do this. See https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups

0 Karma

tdlr
Engager

Anybody know of another app that may do this?

0 Karma

robert_miller
Path Finder

You ever get this to work?

0 Karma

tdlr
Engager

Sorry for the delay. I assumed that I would get email notifications on my post. And I was slightly wrong above.....I want to take firewall traffic and do the Whois lookups in a search for the destination address. Your examples are locked to "host" which returns zero results as it's a RFC1918 address.

I've tried doing some workarounds such as:

... | eval host=dest_ip | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id

All Whois fields are empty. I'm just not getting the logic correct to do what I need.

0 Karma

ownion
Explorer

Same for me, I need exactly the same information you need, but the lookup command always returns empty fields.
How did you managed this issue?

0 Karma

tdlr
Engager

Also, when I run the whois_lookup.py manually I get this error:

root@splunk1:/opt/splunk/etc/apps/network_tools/bin# python whois_lookup.py 8.8.8.8
Traceback (most recent call last):
File "whois_lookup.py", line 7, in
from network_tools_app import whois
File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/init.py", line 12, in
import splunk.appserver.mrsparkle.lib.util as util
ImportError: No module named splunk.appserver.mrsparkle.lib.util
root@splunk1:/opt/splunk/etc/apps/network_tools/bin#

0 Karma

LukeMurphey
Champion

@tdlr: that's weird. What kind of Splunk install are you running this on (platform, heavy forwarder/lightweight forwarder/universal forwarder/search head/etc)?

tdlr
Engager

This is Ubuntu Server 18.04.2 LTS. I'm waiting for new servers so this is one system running all Splunk functions.

0 Karma