I'm rather confused by the default inputs.conf entry:
[monitor://$SPLUNK_HOME/etc/apps/honeypot_scoring/bin/score_lookup_log.txt]
disabled = false
followTail = 0
host = score_lookup_file
sourcetype = Honey_Pot_Scorelookup_Log
Is meant to be referencing a different app? I didn't see anything in splunk-base that would supply it.
Hi Mike,
If you review the python lookup script you can see that there is some code commented out. If you remove the # the lookup script will create this file and log what it recieves from your splunk search and what values are given back.
This is how i track during development how the script is working, how many lookups are performed etc.
As it can produce a lot of data dependinc how many realtime lookups of ip's you are doing i did not emable it by default to aboid eating up any splunk license.
I might have should removed the input before doing the release.
Thanks for the hit. I'll consider this for a next update.
Also make sure you add IP Reputation as tag to your answer. This is how you question gets notized from me immiditly.
Happy splunking,
Matthias