https://community.splunk.com/t5/Splunk-Search/Watchlist-Lookup/m-p/76403#M19326 <P>Hello, we need help setting up an ongoing query against a watchlist of suspicious IP addresses. We have made the following config changes so far with no results:</P> <OL> <LI><P>created a .CSV file in $SPLUNKroot\etc\apps\search\lookups (see sample contents below)</P> <P>bad_ip,suspicious<BR /> X.X2.12.12,1<BR /> X.X3.12.13,1<BR /> X.X4.191.4,1<BR /> X.X5.191.14,1</P></LI> <LI><P>create the following props.conf; and transform.conf in \search\local\</P></LI> </OL> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[cisco_asa] LOOKUP-watch = sampl_watchlist bad_ip AS src </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[sampl_watchlist] filename = sampl_watchlist.csv </CODE></PRE> <P>Basically, how can we run our firewall logs against the watch list and alert on all matches. Thanks.</P> Mon, 01 Oct 2012 16:12:44 GMT opsec 2012-10-01T16:12:44Z https://community.splunk.com/t5/Splunk-Search/Watchlist-Lookup/m-p/76403#M19326 <P>Hello, we need help setting up an ongoing query against a watchlist of suspicious IP addresses. We have made the following config changes so far with no results:</P> <OL> <LI><P>created a .CSV file in $SPLUNKroot\etc\apps\search\lookups (see sample contents below)</P> <P>bad_ip,suspicious<BR /> X.X2.12.12,1<BR /> X.X3.12.13,1<BR /> X.X4.191.4,1<BR /> X.X5.191.14,1</P></LI> <LI><P>create the following props.conf; and transform.conf in \search\local\</P></LI> </OL> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[cisco_asa] LOOKUP-watch = sampl_watchlist bad_ip AS src </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[sampl_watchlist] filename = sampl_watchlist.csv </CODE></PRE> <P>Basically, how can we run our firewall logs against the watch list and alert on all matches. Thanks.</P> Mon, 01 Oct 2012 16:12:44 GMT https://community.splunk.com/t5/Splunk-Search/Watchlist-Lookup/m-p/76403#M19326 opsec 2012-10-01T16:12:44Z https://community.splunk.com/t5/Splunk-Search/Watchlist-Lookup/m-p/76404#M19327 <P>This should do it:</P> <PRE><CODE>sourcetype=cisco_asa suspicious=1 </CODE></PRE> <P>because you defined an automatic lookup in props.conf</P> <P>BTW, I would add the following to transforms.conf</P> <PRE><CODE>min_matches = 1 default_match = "no match" </CODE></PRE> <P>which will let you do other interesting searches, too.</P> Tue, 02 Oct 2012 22:53:09 GMT https://community.splunk.com/t5/Splunk-Search/Watchlist-Lookup/m-p/76404#M19327 lguinn2 2012-10-02T22:53:09Z