I created a SQL server db table that contains various IPs from open source IP block lists (zeustracker, dshield, stop forum spam). I am currently in the process of creating the DB Lookup within the Splunk DB Connect v2 app.
What I'd like to do is compare either src_ip or dst_ip fields from various sourcetypes against the IP list in the lookup database. In the 'Choose the Splunk Fields to Base the Lookup on' (Step 3 of 6) should I select multiple fields (src_ip AND dst_ip), or do I need to create separate lookups for the src_ip and dst_ip fields?
Thx
Thx for link pointing to a great app! Absolutely awesome...
One quick question. I created the .csv file with two columns - ip_address and feedname. How do I run the query that returns both fields?
I am running the following query:
index=main [|inputlookup threatfeed.csv | fields ip_address,feedname | rename ip_address as SourceIP] | stats count by SourceIP | sort -count
but it comes back and tells me, "No results found". If I remove 'feedname' I get results with the count. I'd like to see the feedname column listed as well to see which threat feed the IP is associated with.
Thx