Here is what I am running:
(dest = 162.248.150.* OR 192.168.*.* ) AND src_ip != 192.168.*.* AND src_ip=184.168.152.52 | stats count by src_ip | sort -count | lookup whoisLookup ip as src_ip | spath path=WhoisRecord.RegistryData.Registrant output=Country input=whois
and sample output:
src_ip count Country whois
184.168.152.52 4814 ['<WhoisRecord xmlns="http://adam.kahtava.com/services/whois" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><DomainName>184.168.152.52</DomainName><RegistryData><AbuseContact><Email>abuse@godaddy.com</Email><Name>Abuse Department</Name><Phone>+1-480-624-2505</Phone></AbuseContact><AdministrativeContact><Email>noc@godaddy.com</Email><Name>Network Operations Center</Name><Phone>+1-480-505-8809</Phone></AdministrativeContact><BillingContact i:nil="true"/><CreatedDate>2010-09-21T11:16:05-04:00</CreatedDate><RawText i:nil="true"/><Registrant><Address>14455 N Hayden Road
, Suite 226</Address><City>Scottsdale</City><Country>US</Country><Name>GoDaddy.com, LLC</Name><PostalCode>85260</PostalCode><StateProv>AZ</StateProv></Registrant><TechnicalContact><Email>noc@godaddy.com</Email><Name>Network Operations Center</Name><Phone>+1-480-505-8809</Phone></TechnicalContact><UpdatedDate>2014-02-25T18:37:10-05:00</UpdatedDate><ZoneContact i:nil="true"/></RegistryData></WhoisRecord>']
I found the spath function after posting the question, however, I have not been successful in getting it to extract any data. I am not sure if I have incorrect syntax or what is going on.
Any insight would be appreciated.
Thanks
Shawn
... View more