Hi All,

I'm new to Splunk and have taken the Splunk Search/Reporting and Knowledge Objects courses - however this wasn't really part of them. I'm trying to lookup a Country name to a list of blacklisted countries. As we don't have the country names in the logs by default I need to use the iplocation command. The list itself lists the country in a field called blacklist_country and a y in the column blacklist_country_match (to show it is blacklisted).

I have verified with the inputlookup command the file appears and is formatted as it should be.

I know that to actually have the country names present I need to do the iplocation command - so far I have the following which displays perfectly:

sourcetype="ASA" | iplocation prefix=src_ip_ src_ip | iplocation prefix=dest_ip_ dest_ip

This causes the country names to show up as src_ip_Country and dest_ip_Country.

However, when I do lookups to the table for matches I just get errors. Using this (just for src_ip_Country to start out with):

sourcetype="ASA" earliest=-2h | iplocation prefix=src_ip_ src_ip | lookup blacklistCountries blacklist_country as src_ip_Country OUTPUT blacklist_country_match as src_blacklist_country_match

I've tried adding the .csv to the end of the file name within the lookup command as well as trying OUTPUTNEW.

I'd appreciate any advise on what I'm missing or even whether there is a better or more efficient way to go about this. Also, if anyone has suggestions on actually making this an auto-lookup. I assume the error has something to do with the country names not being in the logs by default and me having to call them in the same search, but I assumed that as I called them prior to the lookup it would have worked out.

Thanks!