Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: ARIN Rest API external lookup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asucrews
Path Finder
06-05-2017
01:40 PM
Hello,
This is my first time creating a external lookup, and I think am missing something. The error I am getting is "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table." Can someone please review and let me know what i am missing.
/opt/splunk/etc/apps/soc/local/transforms.conf
[arinrestapi]
external_cmd = arinRestAPI.py src_ip
fields_list = abuseemail,company
/opt/splunk/etc/apps/soc/bin/arinRestAPI.py
import csv
import json
import sys
import requests
def abuseEMail(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['emails']['email']['$']
except:
return ''
def company(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['company']['$']
except:
return ''
def main():
if len(sys.argv) != 2:
print "Usage: python arinRestAPI.py [ip field]"
sys.exit(1)
ipfield = sys.argv[1]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[ipfield]:
# only ip was provided, add host
result[abuseEMail] = abuseEMail(result[ipfield])
result[company] = copmany(result[ipfield])
main()
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asucrews
Path Finder
06-08-2017
04:02 PM
fix it, well sort of , changed it to one input field to get one output field. not sure if there way to to one input to many outpu fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asucrews
Path Finder
06-08-2017
04:02 PM
fix it, well sort of , changed it to one input field to get one output field. not sure if there way to to one input to many outpu fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
youngsuh
Contributor
11-22-2021
07:40 AM
could you provide step by step procedure? We need to do same for us. Thanks in advance for you help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manish20171
New Member
07-26-2018
08:01 AM
Can you share the final working version? I am still getting error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asucrews
Path Finder
06-05-2017
04:14 PM
I am making procgess but no running in this error "Script for lookup table 'arinrestapi' returned error code 1. Results may be incorrect." I still missing something but I don't understand python enoght or I don't understand what Splunk is doing.
[arinrestapi]
allow_caching = 0
case_sensitive_match = 0
external_cmd = arinrestapi.py src_ip
fields_list = src_ip,abuseemail,company
import csv
import json
import sys
import requests
def abuseEMail(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['emails']['email']['$']
except:
return ''
def company(ip):
try:
ipUrl = 'https://whois.arin.net/rest/ip/' + ip +'.json'
r = requests.get(ipUrl)
org = r.json()
orgUrl = org['net']['orgRef']['$'] + '/pocs.json'
r = requests.get(orgUrl)
poc = r.json()
abuseUrl = poc['pocs']['pocLinkRef'][2]['$'] + '.json'
r = requests.get(abuseUrl)
abuse = r.json()
return abuse['poc']['companyName']['$']
except:
return ''
def main():
if len(sys.argv) != 2:
print "Usage: python arinRestAPI.py [ip field]"
sys.exit(1)
ipfield = sys.argv[1]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[ipfield]:
result[src_ip] = result[ipfield]
result[abuseemail] = abuseEMail(ipfield)
result[company] = company(ipfield)
w.writerow(result)
main()
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asucrews
Path Finder
06-05-2017
10:26 PM
After playing with script i think my issue is with for result in r loop, but i not really sure.
Get Updates on the Splunk Community!
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
