I'm trying to put the results of a whois command into a new field so that I can show the whois contact information for each IP address in my query results.
This piece of code works:
| whois 8.8.8.8
| search attribute=*.contact.name
| stats values(value) as contacts
However, when I try to put this into an eval statement I get the error listed beneath the code snippet:
| eval contactlist =
[| whois 8.8.8.8
| search attribute=*.contact.name
| stats values(value) as contacts ]
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
I've tried adding this inside the square brackets afters the stats command, but it doesn't help:
| return $contacts
Ultimately, I'm trying to do something like this to get a list of IP owner contacts for bad requests:
index=main eventtype=bad_traffic
| eval contactlist =
[| whois src_ip
| search attribute=*.contact.name
| stats values(value) as contacts ]
| table src_ip, errormsg, contactlist
You can actually work around this, but you need to know that when an inner search returns a field named search
, that value will be dropped in directly where the subsearch is. So this should work:
index=main eventtype=bad_traffic | eval contactlist = [| whois src_ip | search attribute=*.contact.name | stats values(value) as contacts | eval search="\"".mvjoin(contacts, ",")."\"" ] | table src_ip, errormsg, contactlist
The quote fun in search="\"".mvjoin..
surrounds the list of contacts with double quotes, so that eval
knows it's setting the field to a string.
I'm planning on adding the contact information to the whois lookup command per your request. This is ought to be fairly simple and my plan is to include it in the next maintenance release. See ticket 2251 for more information. I expect to have this done within the next couple of weeks.
Dude... You rock! Let me know if you need any testing done. I'm not a coder, but if you need testing resources, let me know. My team are at your disposal...
@gordo32: I have a release ready with the change. Would you be willing to test it in order to make sure it gives you what you need? I have the package posted here: https://github.com/LukeMurphey/splunk-network-tools/releases/tag/1.2.6-rc1
Once you deploy the network_tools.tar.gz package, you should be able to see the contact fields in the whois lookup output.
I just realized that I never followed up on this. I feel really bad about this. I will get this done ASAP.
Seems like a perfect example for a workflow action.
The problem here is that the whois
command is generative command and must be the first command used in the search.
Ive played around with this but cant find a combination that works as required.
There may be other apps that provide whois commands that are not generative commands and do not need to be the first command run in your search - This would allow you to achieve these results.
I'll have another look at other apps and see if there is anything suitable.
There is a lookup called whois
as part of the Network Toolkit but unfortunately it does not output the contact information out-of-the-box and would require some modification.
Yeah, the Whois from Network Toolkit is the one I'm trying to get it to work with.
BTW, tried to get around this by first defining the original search, but can't get it to work:
index=main eventtype=bad_traffic|eval contactlist="" | eval contactlist = [| whois 8.8.8.8 | search attribute=*.contact.name | stats values(value) as contacts ]