When using the Network Toolkit's whois function, the network operator information typically appears in one of the *.contact.name fields. I'd like to list the possible contact names as part of the output of one of my queries. However, the beginning of these fields changes depending of various factors, so I can't use consistent field name.
The answer here https://answers.splunk.com/answers/340010/how-to-search-over-a-field-when-its-json-and-has-m-1.html explains how to use the foreach command to output the list of matches, which I've modified to be the following:
| whois 8.8.8.8
| eval contactlist=""
| foreach *.contact.name
[ eval contactlist=contactlist ." ". '<
|table contactlist
NOTE: sorry if the FIELD item doesn't appear at the end of the above in the triangle brackets, it seems to be a keyword in splunk answers and fails to display properly
However, I only get a set of blank lines (one per value in the whois resultset). I've tried wrapping foreach *".contact.name" and various other variations, but can't seem to get this to work.
Can anyone help? Alternatively, is there a better way to do this?
Thanks in advance.
Do post the results you're getting from whois
- the way it looks to me, it's not producing any fields other than attribute
and value
with the contact names listed as some of the attributes.
Also, do post what you'd like the results to look like.
In re-reading the splunk docs on the topic, I think I misunderstood the purpose of the foreach.
Try something like this
| whois 8.8.8.8 | eval attribute=if(like(attribute,"%.contact.name"),"contactlist",attribute)
| stats values(value) as value by attribute| nomv value