- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using |lookup whois on domain name
I have a lookup table ipn1.csv
src_ip,hostname
54.69.58.243,splunk.com
172.217.14.206,google.com
When I run:
| inputlookup "ipn1.csv"
| lookup whois host as src_ip
(lookup whois information based on the IP address) I get information populated from the whois search
When I run:
| inputlookup "ipn1.csv"
| lookup whois host as hostname
(lookup whois information based on the domain name) no information is populated.
In my use case, I want to take a domain name from a search and lookup the creation_date but I cannot seem to get results.
When doing
|whois splunk.com
it works perfectly, just not within a runtime search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
From your question i understand that, you want to take domain name from your search and compare the same with a lookup table to fetch creation date.
For this,
|inputlookup "ipn1.csv" |fields hostname |rename hostname as host| lookup whois host OUTPUT creation_date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was only using the table to illustrate my problem.
My issue is that whois query will work when called by |lookup whois using the IP address, but not the Hostname.
Hostname only works when using |whois and not |lookup whois
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @skyelowryvancity , I can't get that lookup command to work. What version of the app are you using?
