Going off Pochichen, try this:
(dest = 162.248.150.* OR 192.168.*.* ) AND src_ip != 192.168.*.* AND src_ip=184.168.152.52 | stats count by src_ip | sort -count |lookup whoisLookup ip AS src_ip| eval whois = substr(whois, 3, len(whois)-3)| spath path=WhoisRecord.RegistryData.Registrant.Country output=Country input=whois
Or do get all the fields:
(dest = 162.248.150.* OR 192.168.. ) AND src_ip != 192.168.. AND src_ip=184.168.152.52 | stats count by src_ip | sort -count |lookup whoisLookup ip AS src_ip| eval whois = substr(whois, 3, len(whois)-3)| spath input=whois
... View more