OK, I created a custom command, but I'm not configured correctly. It won't pass the search result to the script.

Here is my script (/etc/apps/search/bin/scanip.py):

import subprocess,sys,os

nmap = "nmap -A " + sys.argv[1]


p = subprocess.Popen(nmap, shell=True, stderr=subprocess.PIPE)
while True:
    out = p.stderr.read(1)
    if out == '' and p.poll() != None:
        break
    if out != '':
        sys.stdout.write(out)
        sys.stdout.flush()

Here is my search:

sourcetype=WinDNS | table source_address | head 1 | scanip source_address

Here is the output from the search:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-20 20:07 EST
Failed to resolve "source_address".
WARNING:Nmap done: 0 IP addresses (0 hosts up) scanned in 0.29 seconds
No targets were specified

Yet, I if run the following search:

| scanip 10.10.10.10

I get the expected nmap results.

So how to I get splunk to pass the value of source_address or whatever field instead of the string?

It seems to have something to do with http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts

but I can't get the syntax right.

Thanks for any suggestions or links with better examples.

After looking as this and asking around some other sources, it seems the best way to do this is to export the list of ips to a CSV, call a script to run nmap against that csv, which either exports to a XML which is then re-imported back into Splunk or send the nmap output to ANOTHER script which puts the output into csv which then can be used as a lookup table.

So for now, this effort is going on the back burner.

Thanks to @richgalloway for the suggestions provided.

Try

... | scanip $source_address$

sourcetype=WinDNS | table source_address | head 1 | scanip $source_address$

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:54 EST
Failed to resolve "$".
WNmap done: 0 IP addresses (0 hosts up) scanned in 0.72 seconds
ARNING: No targets were specified

sourcetype=WinDNS | table source_address | head 1 | scanip $$source_address$$

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:55 EST
Failed to resolve "45981source_address45981".
WARNmap done: 0 IP addresses (0 hosts up) scanned in 0.30 seconds
NING: No targets were specified

sourcetype=WinDNS | table source_address | head 1 | scanip \$source_address\$

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 07:56 EST
Failed to resolve "$source_address$".
WARNNmap done: 0 IP addresses (0 hosts up) scanned in 0.46 seconds
ING: No targets were specified

One last guess:

... | scanip 'source_address'
Note the single quotes.

Nope

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 09:46 EST
Failed to resolve "source_address".
WANmap done: 0 IP addresses (0 hosts up) scanned in 0.45 seconds
RNING: No targets were specified

It shows double quotes in the response whether or not I put single or double quotes in the search bar.

XtremeNmapParser FTW to convert the xml to JSON and then used HEC to send it all to Spunk!

https://github.com/xtormin/XtremeNmapParser/issues/1