Splunk Dev

How to create an NSLookup script that allows you to right-click an IP to get the name and address information?

packet_hunter
Contributor

Any one have any luck creating an NSlookup script that allows you to right-click an IP and get the Name/Address Info?

I am thinking about using a Python script.

Any pointers, don't want to reinvent the wheel...

Thank you

Tags (4)
0 Karma
1 Solution

gesman_splunk
Splunk Employee
Splunk Employee

Simpler and pure Simple XML solution would be to add a drilldown capability on IP field.
Alternatively (what I did) - create a another field right next to IP, name it "Whois" and make click on this field to open new browser tab to execute "whois" on IP.

Such as:

  ...
  <row>
    <panel>
      <table>
        <title>Investigation Results</title>
        <searchPostProcess base="root_search">
          ...
        </searchPostProcess>
        <drilldown target="_blank">
          <link field="Whois">
            <![CDATA[ http://who.is/whois-ip/ip-address/$row.src_ip$ ]]>
          </link>
        </drilldown>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="count">15</option>
      </table>
    </panel>
  </row>    ...

In above case - clicking on "Whois" field will open new browser tab where value of "src_ip" field will be taken and sent as a parameter to "who.is" service. Feel free to replace this with another service of your choice.

View solution in original post

gesman_splunk
Splunk Employee
Splunk Employee

Simpler and pure Simple XML solution would be to add a drilldown capability on IP field.
Alternatively (what I did) - create a another field right next to IP, name it "Whois" and make click on this field to open new browser tab to execute "whois" on IP.

Such as:

  ...
  <row>
    <panel>
      <table>
        <title>Investigation Results</title>
        <searchPostProcess base="root_search">
          ...
        </searchPostProcess>
        <drilldown target="_blank">
          <link field="Whois">
            <![CDATA[ http://who.is/whois-ip/ip-address/$row.src_ip$ ]]>
          </link>
        </drilldown>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="count">15</option>
      </table>
    </panel>
  </row>    ...

In above case - clicking on "Whois" field will open new browser tab where value of "src_ip" field will be taken and sent as a parameter to "who.is" service. Feel free to replace this with another service of your choice.

packet_hunter
Contributor

Thank you very much I will give it a shot and let you know how it goes.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...