Hi Team,
I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is
index=firewall[| inputlookup iblocklist_tor.csv]
but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.
Thanks!
Vinod Yadav,Hi Team,
I'm also using splunk enterprise, i have enabled few in built threat intel source,let say iblocklist_tor. I'm seeing the file is getting downloaded with a delimiter as(:). How can i lookup the list of IP addresses in my firewall logs.
I'm trying to search like
index=firewall[| inputlookup iblocklist_tor.csv]
but not getting any event hit. can you please help me out with the steps what i'm missing here.
Thanks!
Vinod Yadav
... View more