- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Trying to do a run-time whois just to pull the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to do a run-time whois just to pull the Org Name
I have a simple need right now that I thought this app would help me with. How would I take firewall logs for example and on-the-fly run a Whois command on an IP address to output the Org Name to a report or table?
Roughly, something along these lines:
index=firewall | whois src_ip | table org_name
Or something simple like that but I do not see this app will do this. Will/Can this app do this? I need on-the-fly whois lookups to output fields to a table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the scripted lookup commands provided with the Network Toolkit app to do this. See https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anybody know of another app that may do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You ever get this to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the delay. I assumed that I would get email notifications on my post. And I was slightly wrong above.....I want to take firewall traffic and do the Whois lookups in a search for the destination address. Your examples are locked to "host" which returns zero results as it's a RFC1918 address.
I've tried doing some workarounds such as:
... | eval host=dest_ip | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
All Whois fields are empty. I'm just not getting the logic correct to do what I need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same for me, I need exactly the same information you need, but the lookup command always returns empty fields.
How did you managed this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, when I run the whois_lookup.py manually I get this error:
root@splunk1:/opt/splunk/etc/apps/network_tools/bin# python whois_lookup.py 8.8.8.8
Traceback (most recent call last):
File "whois_lookup.py", line 7, in
from network_tools_app import whois
File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/init.py", line 12, in
import splunk.appserver.mrsparkle.lib.util as util
ImportError: No module named splunk.appserver.mrsparkle.lib.util
root@splunk1:/opt/splunk/etc/apps/network_tools/bin#
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tdlr: that's weird. What kind of Splunk install are you running this on (platform, heavy forwarder/lightweight forwarder/universal forwarder/search head/etc)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is Ubuntu Server 18.04.2 LTS. I'm waiting for new servers so this is one system running all Splunk functions.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
