Getwatchlist Add-on for Splunk Enterprise: common ...

dominiquevocat · ‎12-02-2015

Is there some kind of definition of what info gets to be placed in what field? Some sources deliver CIDR, some deliver IP, some deliver DNS domains etc. Is there a definition of what the lookup table should look like that gathers all sources and provides a systemwide lookup?
I would like to gather a global list of suspicions internet destinations and/or client IPs

Also, urllib has issues with https via proxy and I have good experiences with the requests library. Any chance the author will consider using that library?

dshpritz · ‎12-02-2015

There is no guidance on what the lookups should look like, getwatchlist is just a tool that you can use to grab a URL and make a lookup. How you map those for your use is really up to you. Some examples can be found in the config, or here:

Splunk Blogs
Stratum Security

Also, keep in mind that you can map fields using the "=", so for example, if the 4th column in the retrieved file is the name of the contributor, and you wanted it to be mapped to a field named "contributor" you can add "4=contributor" to the command to create that mapping.

As for the use of the requests library, that would be a possibility for the future, but I currently don't have any plans on when the next release would be.

Thanks,

Dave

Getwatchlist Add-on for Splunk Enterprise: common lookup format and https proxy

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes