Search Commands

Reference for whisperlookup, whisperquery, whisperschema, whisperflush, whisperevict.

Updated April 2026Splunk Integration

Search Commands Documentation

DiagramDiagram

whisperqueryRaw Cypher queries against the Knowledge Graph
whisperexplainThreat intelligence assessment for indicators
whisperlookupInline enrichment of events in SPL
whisperevict / whisperflushCache management

whisperlookup

Streaming command that enriches events with IOC context from the Knowledge Graph. It appends enrichment fields to each event inline.

Syntax

| whisperlookup field=<field_name> [type=auto|domain|ip] [include_threat_intel=true|false] [include_cname=true|false] [include_nameserver=true|false] [include_feeds=true|false] [add_prefix=<prefix>]

Parameters

ParameterRequiredDefaultDescription
fieldYesEvent field containing the indicator to enrich
typeNoautoIndicator type: auto (detect from value), domain, or ip
include_threat_intelNotrueInclude all threat-related fields (threat score, level, boolean indicators, ASN threat data, and explain API results)
include_cnameNotrueInclude CNAME chain resolution
include_nameserverNotrueInclude nameserver information
include_feedsNotrueInclude threat feed listings
add_prefixNowhisper_Prefix added to enrichment field names

Output fields

For domain enrichment, these fields are appended (with the configured prefix):

FieldDescriptionExample
whisper_ipResolved IP address(es)93.184.216.34
whisper_prefixBGP prefix (CIDR block)93.184.216.0/24
whisper_asnAutonomous System NumberAS15133
whisper_asn_nameASN organization nameEdgecast Inc.
whisper_countryCountry codeUS
whisper_cohost_countNumber of co-hosted domains42
whisper_cname_chainCNAME alias chainwww.example.com,example.com
whisper_cname_depthCNAME chain depth1
whisper_cname_targetFinal CNAME targetexample.com
whisper_nameserversNameserver lista.iana-servers.net,b.iana-servers.net
whisper_threat_scoreThreat score (unbounded float, 0-100+)15
whisper_threat_levelThreat level (from API or derived)LOW
whisper_is_threatBoolean: known threat indicatortrue
whisper_is_torBoolean: Tor exit nodefalse
whisper_is_c2Boolean: command-and-controlfalse
whisper_is_malwareBoolean: malware distributionfalse
whisper_is_phishingBoolean: phishing hostfalse
whisper_is_spamBoolean: spam sourcefalse
whisper_is_bruteforceBoolean: brute-force sourcefalse
whisper_is_scannerBoolean: network scannerfalse
whisper_is_blacklistBoolean: on public blacklistfalse
whisper_is_proxyBoolean: open proxyfalse
whisper_is_vpnBoolean: VPN exit nodefalse
whisper_is_anonymizerBoolean: anonymization servicefalse
whisper_is_whitelistBoolean: explicitly whitelistedfalse
whisper_threat_explanationHuman-readable threat summaryLow risk indicator...
whisper_threat_factorsContributing factors (multivalue)listed_in_blocklist_de
whisper_threat_sourcesPer-feed source data(structured list)
whisper_threat_feed_idsFeed IDs for ES threat_keyblocklist_de,spamhaus
whisper_threat_first_seenEarliest feed observation date2024-01-15
whisper_threat_last_seenMost recent feed observation date2024-06-30
whisper_feed_namesThreat feed namesblocklist_de,spamhaus
whisper_feed_countNumber of feeds listing this indicator2
whisper_feed_categoriesFeed categories (from CATEGORY nodes)Malware,Spam
whisper_typeIndicator type useddomain
whisper_risk_scoreNormalized risk score (0-100), maps to ES risk_score45
whisper_risk_levelRisk level: informational, low, medium, high, criticalmedium
whisper_risk_factors_listComma-separated contributing risk factor namesno_dnssec, threat_feed_medium
whisper_risk_componentsJSON per-factor score breakdown{"no_dnssec": {"points": 15, ...}}

The inline threat fields also include:

FieldDescriptionExample
whisper_threat_sources_countNumber of threat intelligence sources listing this indicator3
whisper_threat_first_seenEarliest date this indicator appeared in any feed2024-01-15
whisper_threat_last_seenMost recent date this indicator appeared in any feed2024-06-30

For IP enrichment, the same threat fields apply plus:

FieldDescriptionExample
whisper_reverse_dns_countNumber of reverse DNS hostnames5
whisper_asn_threat_levelASN overall threat level: NONE/LOW/MEDIUM/HIGH/CRITICALMEDIUM
whisper_asn_threat_scoreASN composite threat score (numeric)45.2
whisper_asn_max_threat_scoreHighest single-prefix threat score within the ASN82.0
whisper_asn_avg_threat_scoreAverage threat score across the ASN's prefixes31.5
whisper_asn_has_threatening_prefixesBoolean: ASN contains at least one high-risk prefixtrue

Inline threat data: whisper_threat_score and the boolean whisper_is_* fields come from inline properties on the IPV4 node in the graph. The explain() API is only called when those inline properties are absent. It returns explanation text, per-feed sources, and first/last seen dates. Both paths populate whisper_threat_score and whisper_threat_level.

CIM field aliases are also created:

CIM FieldSource
dest_ipwhisper_ip
dest_countrywhisper_country
dest_asnwhisper_asn
threat_scorewhisper_threat_score
threat_levelwhisper_threat_level
risk_scorewhisper_risk_score
risk_levelwhisper_risk_level
is_threatwhisper_is_threat
is_c2whisper_is_c2
is_torwhisper_is_tor
is_malwarewhisper_is_malware
is_phishingwhisper_is_phishing
is_anonymizerwhisper_is_anonymizer
is_spamwhisper_is_spam
is_bruteforcewhisper_is_bruteforce
is_scannerwhisper_is_scanner
is_blacklistwhisper_is_blacklist
is_proxywhisper_is_proxy
is_vpnwhisper_is_vpn
is_whitelistwhisper_is_whitelist

Examples

Enrich firewall logs with domain context:

index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_host type=domain
| where whisper_threat_score > 50
| table _time dest_host whisper_asn_name whisper_threat_level whisper_feed_names

Enrich IP addresses with auto-detection:

index=proxy sourcetype=squid
| whisperlookup field=src_ip
| stats count by whisper_asn_name whisper_country

Domain enrichment without threat intel (faster):

index=dns sourcetype=dns
| whisperlookup field=query type=domain include_threat_intel=false include_feeds=false
| table query whisper_ip whisper_asn whisper_asn_name whisper_cohost_count

Custom field prefix:

index=web sourcetype=access_combined
| whisperlookup field=clientip type=ip add_prefix="w_"
| table clientip w_asn_name w_country w_threat_level

Private IP addresses: Private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are automatically skipped — no API call is made and no enrichment fields are added.

Caching: Results are automatically cached in the whisper_enrichment_cache KV Store collection. Subsequent lookups for the same indicator within the TTL window (default: 1 hour) are served from cache without an API call. Use | whisperflush to clear the cache.

whisperquery

Generating command that runs ad-hoc Cypher queries against the Knowledge Graph.

Syntax

| whisperquery query="<cypher_query>" [params="<parameters>"] [params_b64="<base64_json>"] [max_results=<N>]

Parameters

ParameterRequiredDefaultDescription
queryYesCypher query string (must include LIMIT clause)
paramsNoQuery parameters as key=value,key2=value2 or JSON string
params_b64NoBase64-encoded JSON parameters (avoids SPL quote-escaping issues with arrays)
max_resultsNo10000Maximum number of results to return

Examples

Look up a domain's infrastructure:

| whisperquery query="MATCH (h:HOSTNAME {name: $domain})-[:RESOLVES_TO]->(ip:IPV4)-[:BELONGS_TO]->(p:PREFIX)<-[:ROUTES]-(a:ASN)-[:HAS_NAME]->(n:ASN_NAME) RETURN h.name AS hostname, ip.name AS ip, p.name AS prefix, a.name AS asn, n.name AS asn_name LIMIT 10" params="domain=example.com"

Find co-hosted domains:

| whisperquery query="MATCH (h:HOSTNAME {name: $domain})-[:RESOLVES_TO]->(ip:IPV4)<-[:RESOLVES_TO]-(cohost:HOSTNAME) WHERE cohost.name <> $domain RETURN ip.name AS ip, cohost.name AS cohost LIMIT 100" params="domain=example.com"

Get ASN routing information:

| whisperquery query="MATCH (a:ASN {name: $asn})-[:ROUTES]->(p:PREFIX) RETURN a.name AS asn, p.name AS prefix LIMIT 200" params="asn=AS13335"

Use JSON parameters:

| whisperquery query="MATCH (h:HOSTNAME {name: $domain}) RETURN h LIMIT 1" params='{"domain": "example.com"}'

Warning: Queries containing CREATE, DELETE, SET, MERGE, DROP, REMOVE, or DETACH keywords are rejected before being sent to the API. The Knowledge Graph is read-only.

whisperschema

Generating command that shows the Knowledge Graph schema -- node labels, relationship types, property keys, and metadata (descriptions, examples, counts, query patterns).

Syntax

| whisperschema mode=<labels|relationships|properties|schema|full>

Parameters

ParameterRequiredDefaultDescription
modeNolabelsSchema query mode

Modes

ModeDescriptionCypher Equivalent
labelsList all node labelsCALL db.labels()
relationshipsList all relationship typesCALL db.relationshipTypes()
propertiesList all property keys in the graphCALL db.propertyKeys()
schemaSchema with descriptions, examples, counts, fast/slow patternsCALL db.schema()
fullCombined schema + property keysCALL db.schema() + CALL db.propertyKeys()

All events include a whisper_schema_mode field for filtering.

Schema mode output fields

When using mode=schema or mode=full, each event includes all fields listed below. Fields that do not apply to a particular event type (e.g., sourceLabels on a node event) are present as empty strings. This ensures all events have a uniform field set, which is required by the Splunk chunked v2 protocol for correct field display.

FieldDescription
typeEntity type: node, relationship, or tips
nameLabel or relationship name (e.g., HOSTNAME, RESOLVES_TO)
countNumber of entities in the graph
descriptionHuman-readable description
exampleExample value
sourceLabelsSource node labels (populated for relationships, JSON array)
targetLabelsTarget node labels (populated for relationships, JSON array)
fastPatternsEfficient query patterns (populated for relationships and tips, JSON array)
slowPatternsPatterns to avoid (populated for relationships and tips, JSON array)
bestPracticesQuery best practices (populated for relationships and tips, JSON array)

Examples

List all node types in the graph:

| whisperschema mode=labels

List all relationship types:

| whisperschema mode=relationships

List all property keys:

| whisperschema mode=properties

Explore the full schema with descriptions and examples:

| whisperschema mode=schema
| search type=node
| table name, count, description, example

View query best practices:

| whisperschema mode=schema
| search type=tips
| table bestPractices, fastPatterns, slowPatterns

Get combined schema and property keys:

| whisperschema mode=full
| stats count by whisper_schema_mode

whisperflush

Generating command that flushes the enrichment cache. Requires admin or sc_admin role.

Syntax

| whisperflush [collection=cache|precomputed|all]

Parameters

ParameterRequiredDefaultDescription
collectionNocacheWhich collection to flush

Targets

CollectionKV StoreDescription
cachewhisper_enrichment_cacheTTL-based enrichment cache
precomputedwhisper_precomputed_enrichmentPre-computed watchlist enrichments
allBothFlush both cache and precomputed collections

Examples

Flush the enrichment cache:

| whisperflush

Flush pre-computed enrichments:

| whisperflush collection=precomputed

Flush everything:

| whisperflush collection=all

whisperevict

Generating command that evicts expired entries from the enrichment cache using the KV Store REST API. More efficient than loading all records through the SPL pipeline, especially for large caches. This command is used by the "Whisper - Evict Expired Cache Entries" saved search.

Syntax

| whisperevict

How it works

The command uses two phases:

  1. Bulk delete: Queries the KV Store for expired entries with the default TTL and deletes them in a single REST API call.
  2. Custom TTL: Scans entries with non-default TTLs and deletes expired ones individually.

This avoids loading all cache records into the search pipeline, which matters for large caches.

Output fields

FieldDescription
collectionThe KV Store collection name
actionAlways evict_expired
statussuccess, skipped, or error
evictedNumber of entries removed
ttl_secondsTTL used for expiration calculation
errorError message if status is error

Examples

Run cache eviction manually:

| whisperevict
PreviousConfigurationNextEnrichment Pipeline