All Apps and Add-ons

Forensic Investigator: How to troubleshoot why I'm getting "error code 1" when I perform a MAC address OUI lookup?

darlas
Communicator

I get the following error when performing a MAC Address OUI lookup.

"External search command 'ouilookup' returned error code 1. "

I've looked up the MAC address on another site and it returns an answer.

I did not see any errors in splunkd.log.

What could be wrong? Where else can I look for clues?

0 Karma

TonyLeeVT
Builder

Interesting... I do not get that error message. If I type in 00, this is what I get:

alt text

What happens when you go to App: Forensic Investigator --> "Splunk" --> "Search".... and type in the following:

| script ouilookup __EXECUTE__ 00

Note: Make sure you are in the Forensic Investigator program. Make sure you lead that command with a pipe.

0 Karma

darlas
Communicator

Hi Tony.

Thanks for quick response. I still get error when entering '00'. Even the search returns same error.

I am in App: Forensic Investigator context.

I have screenshot but not sure how to add to my comment.

Appreciate your help.

-Darla

0 Karma

TonyLeeVT
Builder

No problem. Is your Splunk instance running on Windows or Linux?

What do you get when you run the following command via the command line? (Assuming Linux install)

/opt/splunk/bin/python /opt/splunk/etc/apps/ForensicInvestigator/bin/ouilookup.py __EXECUTE__ 00096B

I get the following:

answer
"00096B<,>IBM Corp"
0 Karma

darlas
Communicator

Hi Tony.

Linux.

Here is the output of your command:

[root@myserver bin]# python /var/splunk/etc/apps/ForensicInvestigator/bin/ouilookup.py EXECUTE 000
Traceback (most recent call last):
File "/var/splunk/etc/apps/ForensicInvestigator/bin/ouilookup.py", line 7, in
import sys,csv,splunk.Intersplunk,string,base64,urllib
ImportError: No module named splunk.Intersplunk

0 Karma

TonyLeeVT
Builder

Wow. As far as I know splunk.Intersplunk is part of the base install.

  • What version of Splunk are you using?
  • What version of the Forensic Investigator app are you using?

Can you run any of the other scripts? URL decode uses the same basic construct as the MAC OUI lookup. Same with the base64 script. Can you use either of those ok?

Email me via the "Help" -> "Send Feedback" link within the app

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...