https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/598647#M10810 <P>maby this will work:?&nbsp;</P><P>@the parsing tab do the following extracting reg expr:&nbsp;([^\"\,]+)</P><P>&nbsp;</P> Fri, 20 May 2022 11:36:25 GMT BenjaminAbben 2022-05-20T11:36:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/594902#M10777 <P>I'm currently trying to upload a malware feed into&nbsp;Threat Intelligence Management.</P><P>The feed itself is being pulled from the following URL:&nbsp;<SPAN><A href="https://bazaar.abuse.ch/export/csv/recent/" target="_blank" rel="noopener">https://bazaar.abuse.ch/export/csv/recent/</A></SPAN></P><P>The issue is that while it is in CSV format, the values themselves are also encapsulated by quotes, so they are being imported into the file_intel like the following.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JakeInfoSec_0-1650639667839.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19215i1151DA5E9D627BDE/image-size/medium?v=v2&amp;px=400" role="button" title="JakeInfoSec_0-1650639667839.png" alt="JakeInfoSec_0-1650639667839.png" /></span></P><P>To extract out the actual values since they are surrounded by quotes I put together a regular expression under "Extracting regular expression" which works on regexr and regex101, but this regular expression does not appear to be getting used as the values in the lookup still look like the above.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JakeInfoSec_0-1650643252401.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19220i44DC7DC418A9DB61/image-size/medium?v=v2&amp;px=400" role="button" title="JakeInfoSec_0-1650643252401.png" alt="JakeInfoSec_0-1650643252401.png" /></span></P><P>&nbsp;</P><P>Here is what the csv looks like.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JakeInfoSec_2-1650640799840.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19218i4E68DEC52588CA4D/image-size/medium?v=v2&amp;px=400" role="button" title="JakeInfoSec_2-1650640799840.png" alt="JakeInfoSec_2-1650640799840.png" /></span></P><P>Is there a setting I am missing that is causing the regex to not be utilized?</P> Fri, 22 Apr 2022 16:04:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/594902#M10777 JakeInfoSec 2022-04-22T16:04:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/598647#M10810 <P>maby this will work:?&nbsp;</P><P>@the parsing tab do the following extracting reg expr:&nbsp;([^\"\,]+)</P><P>&nbsp;</P> Fri, 20 May 2022 11:36:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/598647#M10810 BenjaminAbben 2022-05-20T11:36:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/598650#M10811 <P>Oh wait,, after some messing around place the + 1 spot to the left like so:<BR /><BR />\b([^\"\,]+)\b</P> Fri, 20 May 2022 11:49:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Adding-Threat-Intelligence-feed-into-Splunk-ES-in-CSV-format/m-p/598650#M10811 BenjaminAbben 2022-05-20T11:49:41Z