I'm having problems to use a lookup file as a whitelist. Basically, I have a simple ip address list with CIDR mask appended like:
ip_address
10.20.25.36/20
10.54.22.85/32
192.168.25.14/20
So I uploaded it as PAN_DOS_exceptions.csv, then i defined a stanza in transforms.conf as:
[PAN_DOS_exceptions]
filename=PAN_DOS_exceptions.csv
min_matches = 1
default_match = NONE
match_type = CIDR(ip_address)
Then I used https://my-splunk-server:8000/en-US/debug/refresh to reload the transforms.conf so when I execute the following search:
index="pan_logs" sourcetype=pan_threat log_subtype=flood | NOT [lookup PAN_DOS_exception ip_address AS src_ip]
It returns every entry without filtering the lookup table. The idea is to exclude from the result those ip addresses that are in the lookup table.
Thoughts?
... View more