All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using foreach to get network operator info

gordo32
Communicator
‎03-03-2018 08:20 AM

When using the Network Toolkit's whois function, the network operator information typically appears in one of the *.contact.name fields. I'd like to list the possible contact names as part of the output of one of my queries. However, the beginning of these fields changes depending of various factors, so I can't use consistent field name.

The answer here https://answers.splunk.com/answers/340010/how-to-search-over-a-field-when-its-json-and-has-m-1.html explains how to use the foreach command to output the list of matches, which I've modified to be the following:

| whois 8.8.8.8
| eval contactlist=""
| foreach *.contact.name
[ eval contactlist=contactlist ." ". '<>']
|table contactlist

NOTE: sorry if the FIELD item doesn't appear at the end of the above in the triangle brackets, it seems to be a keyword in splunk answers and fails to display properly

However, I only get a set of blank lines (one per value in the whois resultset). I've tried wrapping foreach *".contact.name" and various other variations, but can't seem to get this to work.

Can anyone help? Alternatively, is there a better way to do this?

Thanks in advance.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-03-2018 10:52 AM

Do post the results you're getting from whois - the way it looks to me, it's not producing any fields other than attribute and value with the contact names listed as some of the attributes.
Also, do post what you'd like the results to look like.

0 Karma
Reply

gordo32
Communicator
‎03-03-2018 12:38 PM

In re-reading the splunk docs on the topic, I think I misunderstood the purpose of the foreach.

0 Karma
Reply

somesoni2
Revered Legend
‎03-06-2018 01:19 PM

Try something like this

| whois 8.8.8.8 | eval attribute=if(like(attribute,"%.contact.name"),"contactlist",attribute) 
| stats values(value) as value by attribute| nomv value
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...