All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using foreach to get network operator info

gordo32
Communicator
‎03-03-2018 08:20 AM

When using the Network Toolkit's whois function, the network operator information typically appears in one of the *.contact.name fields. I'd like to list the possible contact names as part of the output of one of my queries. However, the beginning of these fields changes depending of various factors, so I can't use consistent field name.

The answer here https://answers.splunk.com/answers/340010/how-to-search-over-a-field-when-its-json-and-has-m-1.html explains how to use the foreach command to output the list of matches, which I've modified to be the following:

| whois 8.8.8.8
| eval contactlist=""
| foreach *.contact.name
[ eval contactlist=contactlist ." ". '<>']
|table contactlist

NOTE: sorry if the FIELD item doesn't appear at the end of the above in the triangle brackets, it seems to be a keyword in splunk answers and fails to display properly

However, I only get a set of blank lines (one per value in the whois resultset). I've tried wrapping foreach *".contact.name" and various other variations, but can't seem to get this to work.

Can anyone help? Alternatively, is there a better way to do this?

Thanks in advance.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-03-2018 10:52 AM

Do post the results you're getting from whois - the way it looks to me, it's not producing any fields other than attribute and value with the contact names listed as some of the attributes.
Also, do post what you'd like the results to look like.

0 Karma
Reply

gordo32
Communicator
‎03-03-2018 12:38 PM

In re-reading the splunk docs on the topic, I think I misunderstood the purpose of the foreach.

0 Karma
Reply

somesoni2
Revered Legend
‎03-06-2018 01:19 PM

Try something like this

| whois 8.8.8.8 | eval attribute=if(like(attribute,"%.contact.name"),"contactlist",attribute) 
| stats values(value) as value by attribute| nomv value
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...