I already used the all_threat_intel macro but I miss information too. The list I download has 9 fields and I need them all. (Firstseen (UTC),Threat,Malware,Host,URL,Status,Registrar,IP address(es),ASN(s),Country)
... View more
Hello,
I added a new threat intelligence source in Splunk Enterprise Security (https://ransomwaretracker.abuse.ch/feeds/csv/ ). The download works fine and the list is stored in /opt/splunk/etc/aps/SA-TreatIntelligence/local/data. Then the list is included in the threat collection 'ip_intel' but at this step, I lose important information which is in the list, but not in the collection.
So I would like to use the downloaded list as a lookup. I tried to create a lookup in SA-ThreatIntelligence/lookpus/ and modified some parameters, but no data is copied in.
Any idea on how to do that?
PS: I am using Splunk 6.2.4 and ES 3.3.2
... View more
Hello,
I made a web page with 4 embedded reports from Splunk. The reports are scheduled every 5 minutes and the web page reload itself every 1 minute. The embedded reports are pointing to one search head which is in a search head cluster.
My problem is that sometimes, some reports are blank, but the others are good!
Anyone has an idea of where is the problem ?
Thanks
... View more