whois
Performs a WHOIS lookup for the domain name in the specified field and outputs the result to the line field. Because this command queries an external WHOIS server in real time, use it in an environment where network access is available.
Command properties
| Property | Description |
|---|---|
| Command type | Transforming |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Target
FIELD- Name of the field that contains the domain name to look up.
Output fields
| Field | Type | Description |
|---|---|---|
line | string | Full response text returned by the WHOIS server. Not output if the WHOIS lookup fails or there is no information for the domain. |
Error codes
Parsing errors
N/A
Runtime errors
N/A
Description
The whois command first queries the IANA WHOIS server (whois.iana.org) to find the WHOIS server address responsible for the domain. It then connects to that server via the WHOIS protocol (TCP port 43) to retrieve domain registration information.
The query result is decoded as UTF-8 and stored as a string in the line field. The socket timeout is 5 seconds. If the WHOIS lookup fails, the record passes through as-is.
If the value of the specified field is null, the record passes through as-is.
Examples
-
Retrieve WHOIS information for domains
table duration=1h dns_logs | stats count by domain | sort -count | limit 10 | whois domainRetrieves WHOIS information for the top 10 domains from DNS logs.
-
Check whether domains are newly registered
table duration=1d dns_logs | dga-features | search ngram_prob_avg < 0.001 | stats count by domain | whois domain | search line contains "Creation Date"Retrieves WHOIS information for domains with DGA characteristics and filters for records that contain registration date information.