added online function

README → README.md

@@ -2,29 +2,19 @@
 
    Author: MuS
 
-   Version/Date: 1.0 / October 2012
-   Version/Date: 1.1 / October 2013 - added App icon, Splunk 6 support
-   Version/Date: 1.2 / Mai 2014 - changed MAC regex match
-   Version/Date: 1.3 / August 2014 - changed MAC regex match
-   Version/Date: 2.0 / September 2014 - complete re-write
-   Version/Date: 2.1 / September 2014 - added debugging
-   Version/Date: 2.2 / September 2014 - added dummy fields for unknown MAC's
-   Version/Date: 2.3 / January 2018 - bug fixes
-   Version/Date: 2.4 / February 2018 - Bug fixes
-   Version/Date: 2.5 / February 2018 - Added offline and field option
-
-
-
-
    Supported product(s):
    CIM src_mac field or any other specified field with nic MAC's in it
 
    Source type(s):
 
    Input requirements:
-   The standart IEEE 802 MAC-48 address format is requiered.
-   The server where the search is running, must be able to connect to the inet, since this lookup can happen on an internet DB ;)
-   The nic MAC must be following format 00:11:22:33:44:55 or AB-CD-12-34-EF-A1 or 0123.4567.89ab
+   The standard IEEE 802 MAC-48 address format is required.
+   The server where the search is running, must be able to connect to the internet, 
+   since this lookup can happen on an internet DB ;)
+   The nic MAC must be in the following format
+   - 00:11:22:33:44:55
+   - AB-CD-12-34-EF-A1
+   - 0123.4567.89ab
 
    The online result will be the following new fields:
 
@@ -43,7 +33,10 @@
 ===Using this Technology Add-on===
 
    Setup:
-   Install TA and restart Splunk. If it is not working, enable debugging in the maclookup.py script. After that you will have a log file in $SPLUNK_HOME/var/log/splunk/ and get UI errors. Remember to disable the debugging after that.
+   Install TA and restart Splunk. If it is not working, enable debugging in the
+   maclookup.py script. After that you will have a log file in
+   $SPLUNK_HOME/var/log/splunk/ and get UI errors. Remember to disable the
+   debugging after that.  
    Sometimes Splunk needs for what ever reason two restarts to get this working.
 
    Configuration:
@@ -54,12 +47,28 @@
    Offline lookup NIC MAC in field 'src_mac' using netaddr module
 
    example2 = | maclookup field=foo
-   Offline lookup NIC MAC in field 'foo' using the online intetnet lookup
+   Offline lookup NIC MAC in field 'foo' using the online internet lookup
 
    example3 = | maclookup online=yes field=foo
-   Online lookup NIC MAC in field 'foo' using the online intetnet lookup - currently disabled!
+   Online lookup NIC MAC in field 'foo' using the online internet lookup
 
 ===Support===
 This is an open source project, no support provided, but you can ask questions
 on answers.splunk.com and I will most likely answer it.
 Github repository: https://github.com/M-u-S/TA-maclookup
+
+I validate all my apps with appinspect and the log can be found in the README
+folder of each app.
+
+===Versions===
+Version/Date: 1.0 / October 2012
+Version/Date: 1.1 / October 2013 - added App icon, Splunk 6 support
+Version/Date: 1.2 / May 2014 - changed MAC regex match
+Version/Date: 1.3 / August 2014 - changed MAC regex match
+Version/Date: 2.0 / September 2014 - complete re-write
+Version/Date: 2.1 / September 2014 - added debugging
+Version/Date: 2.2 / September 2014 - added dummy fields for unknown MAC's
+Version/Date: 2.3 / January 2018 - bug fixes
+Version/Date: 2.4 / February 2018 - Bug fixes
+Version/Date: 2.5 / February 2018 - Added offline and field option
+Version/Date: 2.5.2 / February 2019 - Added new online service

bin/maclookup.py

@@ -1,4 +1,4 @@
-#!/opt/splunk/bin/python
+#!/usr/bin/env python2.7
 # Copyright (C) 2014 MuS
 # http://answers.splunk.com/users/2122/mus
 #
@@ -31,7 +31,7 @@ def setup_logging(n):
     return logger
 
 # set URL to be used for query
-url = 'https://www.macvendorlookup.com/api/v2/'
+url = 'https://macvendors.co/api'
 
 # set regex for MAC address like xx:xx.. or xx-xx.. or xxxx.xxxx..
 regex = '[0-9A-Za-z]{2}[:-][0-9A-Za-z]{2}[:-][0-9A-Za-z]{2}[:-][0-9A-Za-z]{2}[:-][0-9A-Za-z]{2}[:-][0-9A-Za-z]{2}|[a-zA-Z0-9]{4}\.[a-zA-Z0-9]{4}\.[a-zA-Z0-9]{4}'
@@ -89,50 +89,44 @@ def setup_logging(n):
     # for each found mac
     for MAC in macs:
         logger.info( 'for each found MAC ...' )
-        try:
-            # query the URL
-            logger.info( 'Online : %s ...' % online )
-            if 'yes' in online:
-                x = 1/0
-                #logger.info( 'setup the online URL to query ...' )
-                #r = urllib2.urlopen(url + MAC)
-                #logger.info('Using %s as URL and %s as MAC' % (url, MAC))
-                #try:
-                #    # and read the result as JSON list of dicts
-                #    logger.info( 'and read the result as JSON list of dicts ...' )
-                #    data = json.loads(r.read().decode(r.info().getparam('charset') or 'utf-8'))
-                #    logger.info( 'got JSON list of dict: %s ' % data )
-                #except:
-                #    logger.error( 'failed to read the result for MAC %s' % MAC )
-                #    logger.error( 'using some dummy field ... ' )
-                #    data = [{u'addressL3': u'unknown', u'type': u'unknown', u'addressL2': u'unknown', u'endHex': u'unknown', u'country': u'unknown', u'addressL1': u'unknown', u'company': u'unknown', u'startHex': u'unknown', u'endDec': u'unknown', u'startDec': u'unknown'}]
-                ## now this is somekind ugly, but needed
-                ## get the dict out of the URL result list
-                #logger.info( 'get the dict out of the URL result list ...' )
-                #for dict in data:
-                #    try:
-                #       # add mac to dict
-                #       logger.info( 'add MAC to dict ...' )
-                #       dict['MAC'] = MAC
-                #       # more fancy stuff, updating the previous results with the new fields
-                #       logger.info( 'updating line with dict' )
-                #       line.update(dict)
-                #       # and put it into new list, so more dict can be added
-                #       logger.info( 'and put it into new list, so more dict can be added ...' )
-                #       list.append(line)
-                #    except:
-                #       logger.error( 'failed to build the list for the splunk output!' )
-                #       splunk.Intersplunk.generateErrorResults(': failed to build the list for the splunk output!')
-                #       exit()
-        except:
-            logger.error( 'This option is currently disabled due to the fact that the online API is not available. Please use the offline option instead.')
-            splunk.Intersplunk.generateErrorResults(': This option is currently disabled due to the fact that the online API is not available. Please use the offline option instead.')
-            #logger.error( 'failed to setup the URL!' )
-            #splunk.Intersplunk.generateErrorResults(': failed to setup the URL! Using %s as URL and %s as MAC' % (url, MAC))
-            exit()
-	try:
-            # query the netaddr library
-            if 'no' in online:
+        # query the URL
+        logger.info( 'Online : %s ...' % online )
+        if 'yes' in online:
+            try:
+                logger.info( 'setup the online URL to query ...' )
+                url2 = '%s/%s/json' % (url, MAC)
+                logger.info('Using %s as URL and %s as MAC' % (url2, MAC))
+                logger.info('connecting ... ')
+                r = urllib2.urlopen(url2)
+                logger.info('connected ...')
+            except:
+                logger.error( 'failed to setup the URL!' )
+                splunk.Intersplunk.generateErrorResults(': failed to setup the URL! Using %s as URL and %s as MAC' % (url2, MAC))
+                exit()
+            try:
+                # and read the result as JSON list of dicts
+                logger.info( 'and read the result as JSON list of dicts ...' )
+                data = json.loads(r.read().decode(r.info().getparam('charset') or 'utf-8'))
+                logger.info( 'got JSON list of dict: %s ' % data )
+            except:
+                logger.error( 'failed to read the result for MAC %s' % MAC )
+                splunk.Intersplunk.generateErrorResults(': failed to read the online result!')
+                exit()
+            # get the dict out of the URL result list
+            logger.info( 'get the dict out of the URL result list ...' )
+            try:
+                # and put it into new list, so more dict can be added
+                logger.info( 'adding result : %s ' % data['result'] )
+                list.append(data['result'])
+                logger.info( 'new list : %s ' % list )
+            except:
+                logger.error( 'failed to build the list for the splunk output!' )
+                splunk.Intersplunk.generateErrorResults(': failed to build the list for the splunk output!')
+                exit()
+
+        # query the netaddr library
+        if 'no' in online:
+	    try:
                 logger.info( 'setup the offline netaddr query ...' )
                 logger.info( 'using mac to lookup : %s ' % MAC)
                 lookup = netaddr.EUI(MAC)
@@ -148,11 +142,10 @@ def setup_logging(n):
                 logger.info( 'and put it into new list, so more dict can be added ...' )
                 list.append(line)
                 logger.info( 'new list : %s ' % list)
-        except:
-            logger.error( 'failed to use the netaddr module!' )
-            splunk.Intersplunk.generateErrorResults(': failed to use the netaddr module!')
-            exit()
-
+            except:
+                logger.error( 'failed to use the netaddr module!' )
+                splunk.Intersplunk.generateErrorResults(': failed to use the netaddr module!')
+                exit()
 
 # output the result to splunk
 logger.info( 'output the result to splunk> ...' )

default/app.conf

@@ -4,7 +4,6 @@
 
 [install]
 is_configured = 0
-install_source_checksum = 9ab70cd9edba851ceee37901b1e8adb105965af2
 
 [ui]
 is_visible = 0
@@ -13,7 +12,7 @@ label = TA-maclookup
 [launcher]
 author = Michael Uschmann / MuS © 2018
 description = custom search command to lookup MAC's offline or online
-version = 2.5.1
+version = 2.5.2
 
 [package]
 check_for_updates = 1

default/searchbnf.conf

@@ -3,18 +3,18 @@
 ##################
 [maclookup-command]
 syntax = | maclookup
-shortdesc = maclookup to get Manufactor Company / vendor Name
-description = Lookup the standard IEEE 802 addresses using netaddr module or in an internet API https://www.macvendorlookup.com/ to get Manufactor Company Name and other informations. !!! This command is not intened for high volume throuput! Always concider using a 'stats ... by <mac field>' before the maclookup command !!!
+shortdesc = maclookup to get Manufacture Company / vendor Name
+description = Lookup the standard IEEE 802 addresses using netaddr module or in an internet API https://www.macvendorlookup.com/ to get Manufacture Company Name and other informations. !!! This command is not intended for high volume throuput! Always consider using a 'stats ... by <mac field>' before the maclookup command !!!
 usage = public
 example1 = | maclookup
 comment1 = Offline lookup NIC MAC in field 'src_mac' using netaddr module
 example2 = | maclookup field=foo
-comment2 = Offline lookup NIC MAC in field 'foo' using the online intetnet lookup
+comment2 = Offline lookup NIC MAC in field 'foo' using the online internet lookup
 example3 = | maclookup online=yes field=foo
-comment3 = Online lookup NIC MAC in field 'foo' using the online intetnet lookup - currently disabled!
+comment3 = Online lookup NIC MAC in field 'foo' using the online internet lookup - currently disabled!
 related =
 tags =
 
 [maclookup-options]
 syntax = NIC_MAC
-description = maclookup in netaddr module or in internet DB to get Manufactor Company Name
+description = maclookup in netaddr module or in internet DB to get Manufacture Company Name