All Apps and Add-ons

How can I run a whois search on multiple IPs with one command?

derekho55
Explorer

Using the Network Toolkit app, I want to run the whois command on multiple IPs with one command, such as reading from a lookup. Is that possible?

i.e. |whois IP1, IP2, IP3

1 Solution

LukeMurphey
Champion

You use the whois lookup command that is included in the Network Toolkit app. See (https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups).

For example, your search may end with the lookup command like this:

... | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id

View solution in original post

0 Karma

LukeMurphey
Champion

You use the whois lookup command that is included in the Network Toolkit app. See (https://lukemurphey.net/projects/network-tools/wiki/Using_Lookups).

For example, your search may end with the lookup command like this:

... | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
0 Karma

alexkiss2097
New Member

Hi Luke,

I'm trying to use the lookup as you have it here, but all of those fields come out blank. The only fields that return anything are _raw and host. Additionally if I do | table * then contact.address contact.email contact.name contact.phone all return with the correct results, but not other fields from the whois lookup populate. Is there something I am doing wrong?

0 Karma

robert_miller
Path Finder

I also can't get this to work. Hopefully, someone has a solution.

0 Karma

jrodriguezap
Contributor

It happens the same to me too.
Could someone correct it? please!

0 Karma

ericnewman
Explorer

We were having the same problem and discovered that we was getting the below errors in the search.log (Job-->Inpect Job->Search job properties - search.log) even though there was no indication on an issue.  We are running Splunk Enterprise version 8.1.2 which defaults to python3.  We were able to get the lookups working by setting them to run as python2. 

 

We added a custom /opt/splunk/etc/apps/network_tools/local/transforms.conf.

 

[whois]
python.version = python2

[nslookup]
python.version = python2

[traceroute]
python.version = python2

[ping]
python.version = python2

[portscan]
python.version = python2

 

Example Errors:

 

05-25-2021 15:14:39.784 INFO  PreviewExecutor - Preview Enforcing initialization done
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':  Exception in thread ping_lookup:
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':  Traceback (most recent call last):
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/lib/python3.7/threading.py", line 926, in _bootstrap_inner
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      self.run()
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/lib/python3.7/threading.py", line 870, in run
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      self._target(*self._args, **self._kwargs)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/custom_lookup.py", line 253, in do_lookup
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      self.execute_lookup(result, w, fieldnames)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/custom_lookup.py", line 210, in execute_lookup
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      output = self.do_lookup(**keyword_arguments)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/whois_lookup.py", line 55, in do_lookup
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      index = get_default_index()
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/__init__.py", line 133, in get_default_index
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      app_config = get_app_config(session_key)
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':    File "/opt/splunk/etc/apps/network_tools/bin/network_tools_app/__init__.py", line 106, in get_app_config
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':      conf = ConfigParser.SafeConfigParser()
05-25-2021 15:14:40.222 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/whois_lookup.py host':  AttributeError: type object 'ConfigParser' has no attribute 'SafeConfigParser'
05-25-2021 15:14:40.270 INFO  DispatchExecutor - END OPEN: Processor=noop

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...