All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using foreach to get network operator info

gordo32
Communicator
‎03-03-2018 08:20 AM

When using the Network Toolkit's whois function, the network operator information typically appears in one of the *.contact.name fields. I'd like to list the possible contact names as part of the output of one of my queries. However, the beginning of these fields changes depending of various factors, so I can't use consistent field name.

The answer here https://answers.splunk.com/answers/340010/how-to-search-over-a-field-when-its-json-and-has-m-1.html explains how to use the foreach command to output the list of matches, which I've modified to be the following:

| whois 8.8.8.8
| eval contactlist=""
| foreach *.contact.name
[ eval contactlist=contactlist ." ". '<>']
|table contactlist

NOTE: sorry if the FIELD item doesn't appear at the end of the above in the triangle brackets, it seems to be a keyword in splunk answers and fails to display properly

However, I only get a set of blank lines (one per value in the whois resultset). I've tried wrapping foreach *".contact.name" and various other variations, but can't seem to get this to work.

Can anyone help? Alternatively, is there a better way to do this?

Thanks in advance.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-03-2018 10:52 AM

Do post the results you're getting from whois - the way it looks to me, it's not producing any fields other than attribute and value with the contact names listed as some of the attributes.
Also, do post what you'd like the results to look like.

0 Karma
Reply

gordo32
Communicator
‎03-03-2018 12:38 PM

In re-reading the splunk docs on the topic, I think I misunderstood the purpose of the foreach.

0 Karma
Reply

somesoni2
Revered Legend
‎03-06-2018 01:19 PM

Try something like this

| whois 8.8.8.8 | eval attribute=if(like(attribute,"%.contact.name"),"contactlist",attribute) 
| stats values(value) as value by attribute| nomv value
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...