Comments

3 comments

  • Avatar
    Dwayne Hoover

    Currently, this is not native functionality.  However, this is something that could be scripted using our API.

    A brief walkthrough, would go something like this:

    1. via a script (Python for example) use the search API to query data with IP addresses
    2. parse the results using the script
    3. perform a WHOIS lookup in the script
    4. push the data back to Sumo Logic using a hosted collector/HTTP source (within the script) or dump it to a file that the collector will upload
    5. in the search interface, use the JOIN operator to join data sets on IP

    Using scheduled views, you could combine both data sets into one consolidated view with the WHOIS data enriching the original logs containing the IP addresses.

    2
    Comment actions Permalink
  • Avatar
    Andrew Angelopoulos

    Been five years, wondering if someone clever has come up with a different approach? Maybe somehow to trigger it on demand from within Sumologic?

    Based on the above, I sort of see some real or bogus quarter hour query (  results > 1) that triggers a script action on some server that then goes to step 1 above.

    Is there a more on demand way to trigger it through the UI perhaps? Or something more elegant nowadays?

    (and it doesn't have to be a whois, just the ability to trigger a scripted data pull of some sort to enrich the presented data)

    Thanks

    2
    Comment actions Permalink
  • Avatar
    Ryan Lovergine

    +1 would love to know where this stands. 

    0
    Comment actions Permalink

Please sign in to leave a comment.