All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using foreach to get network operator info

gordo32
Communicator
‎03-03-2018 08:20 AM

When using the Network Toolkit's whois function, the network operator information typically appears in one of the *.contact.name fields. I'd like to list the possible contact names as part of the output of one of my queries. However, the beginning of these fields changes depending of various factors, so I can't use consistent field name.

The answer here https://answers.splunk.com/answers/340010/how-to-search-over-a-field-when-its-json-and-has-m-1.html explains how to use the foreach command to output the list of matches, which I've modified to be the following:

| whois 8.8.8.8
| eval contactlist=""
| foreach *.contact.name
[ eval contactlist=contactlist ." ". '<>']
|table contactlist

NOTE: sorry if the FIELD item doesn't appear at the end of the above in the triangle brackets, it seems to be a keyword in splunk answers and fails to display properly

However, I only get a set of blank lines (one per value in the whois resultset). I've tried wrapping foreach *".contact.name" and various other variations, but can't seem to get this to work.

Can anyone help? Alternatively, is there a better way to do this?

Thanks in advance.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-03-2018 10:52 AM

Do post the results you're getting from whois - the way it looks to me, it's not producing any fields other than attribute and value with the contact names listed as some of the attributes.
Also, do post what you'd like the results to look like.

0 Karma
Reply

gordo32
Communicator
‎03-03-2018 12:38 PM

In re-reading the splunk docs on the topic, I think I misunderstood the purpose of the foreach.

0 Karma
Reply

somesoni2
Revered Legend
‎03-06-2018 01:19 PM

Try something like this

| whois 8.8.8.8 | eval attribute=if(like(attribute,"%.contact.name"),"contactlist",attribute) 
| stats values(value) as value by attribute| nomv value
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...