External command to add whois data to search set

wweiland · ‎07-31-2018

Hello,

I'm looking to enrich my search results with WHOIS data from a API call. I'm trying to create an external command to take the domain_name from an event, call the external command, add the json fields that it returns to the existing search results. What I have now replaces all of the search results instead of just adding the fields and doesn't currently work. I really do not know a lot about how the external search commands work. Can anyone give me pointers or have existing scripts that I can modify to work for me? I'll also add that I need to be able to enrich the data from the indexer tier. Possible?

import urllib
import json
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration

@Configuration()
class ExStreamCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            domain_name = record.get('domain_name')
            url = "http://whoisserver:8080/whois/%s" %(domain_name)
            response = urllib.urlopen(url)
            data = json.loads(response.read())
            yield data

if __name__ == "__main__":
    dispatch(ExStreamCommand, sys.argv, sys.stdin, sys.stdout, __name__)

TIA,
Todd

kmorris_splunk · ‎08-01-2018

This app may be helpful:

https://splunkbase.splunk.com/app/3506/#/details

External command to add whois data to search set

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

Are you a member of the Splunk Community?

External command to add whois data to search set

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal