Hi,
I have written a custom search command to send whois queries for ip addresses that are resulted from search head. I assume that custom search command will get search result from search head and send them whois.arin.net then results will be listed in another field.
command.conf file includes following:
[whois]
chunked = true
filename = whois.py
generating = true
supports_rawargs = true
streaming = true
retainsevents = true #!!!!!! not sure for this !!!!!!!!!!
code location:
C:\Program Files\Splunk\etc\system\bin
code snippet is also following, whole code is working properly out of Splunk, but dont get ant response when running on search head.
def whoisQuery(orgnames, settings):
orgnames = []
orgname = {}
............................................
if "OrgName" in i:
b = i.split()
orgname['OrgName'] = b[1:]
orgnames.append(orgname)
break
except:
pass
return orgnames
#to get previous search results
orgnames, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
#for result in orgnames:
orgnames = whoisQuery(orgnames, settings)
splunk.Intersplunk.outputResults(orgnames)
... View more