Solved: External threat feed database lookup

jwalzerpitt · ‎05-12-2015

I created a SQL server db table that contains various IPs from open source IP block lists (zeustracker, dshield, stop forum spam). I am currently in the process of creating the DB Lookup within the Splunk DB Connect v2 app.

What I'd like to do is compare either src_ip or dst_ip fields from various sourcetypes against the IP list in the lookup database. In the 'Choose the Splunk Fields to Base the Lookup on' (Step 3 of 6) should I select multiple fields (src_ip AND dst_ip), or do I need to create separate lookups for the src_ip and dst_ip fields?

Thx

woodcock · ‎05-12-2015

GetWatchList:
https://splunkbase.splunk.com/app/635/
http://blogs.splunk.com/2011/08/16/getwatchlist-getting-watchlists-into-splunk-quickly-and-easily-wi...

View solution in original post

woodcock · ‎05-12-2015

GetWatchList:
https://splunkbase.splunk.com/app/635/
http://blogs.splunk.com/2011/08/16/getwatchlist-getting-watchlists-into-splunk-quickly-and-easily-wi...

jwalzerpitt · ‎05-12-2015

Thx for link pointing to a great app! Absolutely awesome...

jwalzerpitt · ‎05-19-2015

One quick question. I created the .csv file with two columns - ip_address and feedname. How do I run the query that returns both fields?

I am running the following query:

but it comes back and tells me, "No results found". If I remove 'feedname' I get results with the count. I'd like to see the feedname column listed as well to see which threat feed the IP is associated with.

Thx

External threat feed database lookup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!