Version 3 - History - Using Lookups - Network Tools - LukeMurphey.net

Using Lookups » History » Version 3

Luke Murphey, 01/23/2020 10:21 PM

-Luke Murphey
+h1. Lookups
 Luke Murphey
-Luke Murphey
+Network Toolkit includes custom lookups that can be used to get information on hosts within events. The lookups provided are:
 Luke Murphey
-Luke Murphey
+* whois
-Luke Murphey
+* ping
-Luke Murphey
+* traceroute
-Luke Murphey
+* nslookup
 Luke Murphey
-Luke Murphey
+Below are some examples of running these commands (each example the field containing the field you want to lookup is in field +host_to_lookup+):
 Luke Murphey
-Luke Murphey
+Whois:
-Luke Murphey
+<pre>
-Luke Murphey
+... | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
-Luke Murphey
+</pre>
 Luke Murphey
-Luke Murphey
+Ping:
-Luke Murphey
+<pre>
-Luke Murphey
+... | lookup ping host as host_to_lookup | table _raw host sent received packet_loss min_ping max_ping avg_ping jitter return_code raw_output
-Luke Murphey
+</pre>
 Luke Murphey
-Luke Murphey
+Traceroute:
-Luke Murphey
+<pre>
-Luke Murphey
+... | lookup traceroute host as host_to_lookup | table _raw host return_code raw_output hops
-Luke Murphey
+</pre>
 Luke Murphey
-Luke Murphey
+NSlookup:
-Luke Murphey
+<pre>
-Luke Murphey
+... | lookup nslookup host as host_to_lookup | table _raw aaaa a mx ns server
-Luke Murphey
+</pre>
 Luke Murphey
-Luke Murphey
+Portscan:
-Luke Murphey
+<pre>
-Luke Murphey
+(dest=10.0.0.6 OR dest=10.0.1.11) | stats count by dest | eval ports="80,443,8000" | lookup portscan host as dest ports | table ports dest open_ports closed_ports
-Luke Murphey
+</pre>
 Luke Murphey
-Luke Murphey
+You will need to make sure that the ports field is defined as the list of ports to scan if you do not want to use the defaults.

Project

General

Profile

Splunk Apps » Network Tools

Using Lookups » History » Version 3