Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use the Splunk Whois app, no peace information available

apietersen
Contributor
2 weeks ago

How to use this Splunk Whois app, not a single peace of information or examples to find.??

What is de SPL syntax of this app?


0 Karma
Reply

apietersen
Contributor
2 weeks ago

Yes, I read the app info on Splunkbase. I was expecting an embedded SPL command something like this:

| eval cn=whoisip("x.x.x.x")

expecting something similar to the paid TA for WhoisXmlAPI (like a standard DNS lookup request).

Apparently, I don't understand the function of the Whois app, neither your reference to Soar, sorry. What am I missing here, or are there other or better options available?

Ie: Ipam DNS management Add-On for Splunk is the data management. [allthough neither info found in Splunkbase ]

I'm looking for a simple way to resolve an IP address to a domain name as result of a search (in fact a  spl embedded command requesting DNS service without an  API call)


 

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

It's an app for completely another product. You're looking for something for Splunk Enterprise while the app you pointed to is an app for SOAR (Security Orchestration Automation and Response). These are two different solutions.

So that's one thing.

Another thing is that custom commands are tricky, especially those calling external services. Theoretically, implementing a DNS lookup (because that's what IP to domain name mapping is; it has nothing to do with whois; whois database is a completely different thing - it shows you entity responsible for given IP, not the domain name) should be relatively easy but running it - especially if using external DNS server, not a local caching one - can be very expensive if run over a big dataset.

Reply

apietersen
Contributor
2 weeks ago

Ok, Thanks and understood overlooked the Soar Compatibility.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

This is a simple SOAR app with just a handful of actions

"This app implements investigative actions that query the whois database

Supported Actions

  • test connectivity: Validate the configuration for connectivity
  • whois domain: Execute a whois lookup on the given domain
  • whois ip: Execute a whois lookup on the given IP"

What more do you need?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...