All Apps and Add-ons

Try to get list of WHOIS contacts into field results

gordo32
Communicator

I'm trying to put the results of a whois command into a new field so that I can show the whois contact information for each IP address in my query results.

This piece of code works:

| whois 8.8.8.8
| search attribute=*.contact.name
| stats values(value) as contacts

However, when I try to put this into an eval statement I get the error listed beneath the code snippet:

| eval contactlist =
[| whois 8.8.8.8
| search attribute=*.contact.name
| stats values(value) as contacts ]

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

I've tried adding this inside the square brackets afters the stats command, but it doesn't help:

| return $contacts

Ultimately, I'm trying to do something like this to get a list of IP owner contacts for bad requests:


index=main eventtype=bad_traffic
| eval contactlist =
[| whois src_ip
| search attribute=*.contact.name
| stats values(value) as contacts ]
| table src_ip, errormsg, contactlist

0 Karma

micahkemp
Champion

You can actually work around this, but you need to know that when an inner search returns a field named search, that value will be dropped in directly where the subsearch is. So this should work:

 index=main eventtype=bad_traffic | eval contactlist = [| whois src_ip | search attribute=*.contact.name | stats values(value) as contacts | eval search="\"".mvjoin(contacts, ",")."\"" ] | table src_ip, errormsg, contactlist

The quote fun in search="\"".mvjoin.. surrounds the list of contacts with double quotes, so that eval knows it's setting the field to a string.

0 Karma

LukeMurphey
Champion

I'm planning on adding the contact information to the whois lookup command per your request. This is ought to be fairly simple and my plan is to include it in the next maintenance release. See ticket 2251 for more information. I expect to have this done within the next couple of weeks.

0 Karma

gordo32
Communicator

Dude... You rock! Let me know if you need any testing done. I'm not a coder, but if you need testing resources, let me know. My team are at your disposal...

0 Karma

LukeMurphey
Champion

@gordo32: I have a release ready with the change. Would you be willing to test it in order to make sure it gives you what you need? I have the package posted here: https://github.com/LukeMurphey/splunk-network-tools/releases/tag/1.2.6-rc1

Once you deploy the network_tools.tar.gz package, you should be able to see the contact fields in the whois lookup output.

0 Karma

LukeMurphey
Champion

I just realized that I never followed up on this. I feel really bad about this. I will get this done ASAP.

0 Karma

ddrillic
Ultra Champion

Seems like a perfect example for a workflow action.

0 Karma

livehybrid
Builder

The problem here is that the whois command is generative command and must be the first command used in the search.
Ive played around with this but cant find a combination that works as required.
There may be other apps that provide whois commands that are not generative commands and do not need to be the first command run in your search - This would allow you to achieve these results.
I'll have another look at other apps and see if there is anything suitable.
There is a lookup called whois as part of the Network Toolkit but unfortunately it does not output the contact information out-of-the-box and would require some modification.

0 Karma

gordo32
Communicator

Yeah, the Whois from Network Toolkit is the one I'm trying to get it to work with.

0 Karma

gordo32
Communicator

BTW, tried to get around this by first defining the original search, but can't get it to work:

index=main eventtype=bad_traffic|eval contactlist="" | eval contactlist = [| whois 8.8.8.8 | search attribute=*.contact.name | stats values(value) as contacts ]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...