Hello,

I am a newbie to splunk and am trying to get a dashboard going to query whois and return information related to security concerns.   I am tracking on my Linux email host authorization failed messages in syslog.   I would like to take the ip address and determine, to start, where this host is located in the world based upon the asn_country_code.   If I do a query where I use just the IP address it works.  But when I try to use a variable, it fails.  I have tried searching long and hard and cannot find the answer.  When I use the addon app "Network Toolkit" it has a function whois contained, it has many attributes when an ip or domain name is provided as the search string.  One key element is rhost or asn_country_code, which I am currently interested in using.  

When I run the query:

(index=* OR index=_*) "authentication failure"
| eval country_code = [| whois 14.177.64.163 | search attribute=asn_country_code | stats values(value) as country | eval search="\"".mvjoin(country, ",")."\"" ]
| table rhost, country_code

I get the following results:

This is just so it works.  I get the ip addresses of the hosts that failed their authentication request.   But the country code is manually entered and i get only the "VN" response, just troubleshooting the query so it works.   I'd like to get the appropriate country code from whois, but when I change the ip address from "14.177.64.162" to rhost, it fails the query.

(index=* OR index=_*) "authentication failure"
| eval country_code = [| whois rhost | search attribute=asn_country_code | stats values(value) as country | eval search="\"".mvjoin(country, ",")."\"" ]
| table rhost, country_code

I get the following:

What am I doing wrong with the variable attribute rhost?   Does it need to be in quotations?  (tried) or?   I am at a loss.   Can someone guide me to the right answer?

Thank you very much.