Hello, we need help setting up an ongoing query against a watchlist of suspicious IP addresses. We have made the following config changes so far with no results:
created a .CSV file in $SPLUNKroot\etc\apps\search\lookups (see sample contents below)
bad_ip,suspicious
X.X2.12.12,1
X.X3.12.13,1
X.X4.191.4,1
X.X5.191.14,1
create the following props.conf; and transform.conf in \search\local\
props.conf
[cisco_asa]
LOOKUP-watch = sampl_watchlist bad_ip AS src
transforms.conf
[sampl_watchlist]
filename = sampl_watchlist.csv
Basically, how can we run our firewall logs against the watch list and alert on all matches. Thanks.
This should do it:
sourcetype=cisco_asa suspicious=1
because you defined an automatic lookup in props.conf
BTW, I would add the following to transforms.conf
min_matches = 1
default_match = "no match"
which will let you do other interesting searches, too.