Using |lookup whois on domain name

skyelowryvancit · ‎10-10-2019

I have a lookup table ipn1.csv
src_ip,hostname
54.69.58.243,splunk.com
172.217.14.206,google.com

When I run:

   | inputlookup "ipn1.csv"
  | lookup whois host as src_ip

(lookup whois information based on the IP address) I get information populated from the whois search

When I run:

| inputlookup "ipn1.csv"
 | lookup whois host as hostname

(lookup whois information based on the domain name) no information is populated.

In my use case, I want to take a domain name from a search and lookup the creation_date but I cannot seem to get results.

When doing

|whois splunk.com

it works perfectly, just not within a runtime search.

Prewin027 · ‎10-13-2019

Hi,
From your question i understand that, you want to take domain name from your search and compare the same with a lookup table to fetch creation date.

For this,

|inputlookup "ipn1.csv" |fields hostname |rename hostname as host| lookup whois host OUTPUT creation_date

skyelowryvancit · ‎10-15-2019

I was only using the table to illustrate my problem.

My issue is that whois query will work when called by |lookup whois using the IP address, but not the Hostname.

Hostname only works when using |whois and not |lookup whois

robert_miller · ‎04-30-2020

Hey @skyelowryvancity , I can't get that lookup command to work. What version of the app are you using?

Using |lookup whois on domain name

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!