Hello,
I installed the app and added the key in scorelookup.py.
What to do next ?
I tried a search "dst_port 80 | rename src_ip as clientip" and don't have the threatscore field.
Any idea ?
Txs
you also need to define dst_port=80 with = that is Splunk common search syntax.
so tray:
dst_port=80 | lookup threatscore clientip as src_ip
no renaming required if you write "as src_ip"
br
Matthias
Tried adding an explicit lookup?
i.e. "dst_port 80 | rename src_ip as clientip | lookup threatscore clientip"
the threatscore field isn't getting inserted into the data stream... How is this generated?