I want to either compare natdst to a blacklist.
We do not have a subscription to any service that provides blacklist but I see some free list.
I am assuming since we do not pay for a service, I have to download a CSV and compare that way.
There is an app for that called Getwatchlist Add-on for Splunk Enterprise
:
https://splunkbase.splunk.com/app/635/
Hi nebblkshts,
You have to load csv in a lookup (called e.g. ip_blacklist.csv) and then use a search like this:
index=my_index [ | inputlookup ip_blacklist.csv | fields source_ip ]
| stats count BY source_ip
put attention to the fieldname between logs and lookup: they must be the same, if they are different, in the subsearch you have to insert a rename.
Bye.
Giuseppe
Hi nebblkshts,
if you're satisfied by this answer, please accept and/ot upvote it.
Bye, see at next time.
Giuseppe
Thank you, that worked.