Hello, I am a newbie to splunk and am trying to get a dashboard going to query whois and return information related to security concerns. I am tracking on my Linux email host authorization failed messages in syslog. I would like to take the ip address and determine, to start, where this host is located in the world based upon the asn_country_code. If I do a query where I use just the IP address it works. But when I try to use a variable, it fails. I have tried searching long and hard and cannot find the answer. When I use the addon app "Network Toolkit" it has a function whois contained, it has many attributes when an ip or domain name is provided as the search string. One key element is rhost or asn_country_code, which I am currently interested in using. When I run the query: (index=* OR index=_*) "authentication failure" | eval country_code = [| whois 14.177.64.163 | search attribute=asn_country_code | stats values(value) as country | eval search="\"".mvjoin(country, ",")."\"" ] | table rhost, country_code I get the following results: This is just so it works. I get the ip addresses of the hosts that failed their authentication request. But the country code is manually entered and i get only the "VN" response, just troubleshooting the query so it works. I'd like to get the appropriate country code from whois, but when I change the ip address from "14.177.64.162" to rhost, it fails the query. (index=* OR index=_*) "authentication failure" | eval country_code = [| whois rhost | search attribute=asn_country_code | stats values(value) as country | eval search="\"".mvjoin(country, ",")."\"" ] | table rhost, country_code I get the following: What am I doing wrong with the variable attribute rhost? Does it need to be in quotations? (tried) or? I am at a loss. Can someone guide me to the right answer? Thank you very much.
... View more