Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare IP blacklists

nebblkshts
New Member
‎06-27-2019 06:08 AM

I want to either compare natdst to a blacklist.
We do not have a subscription to any service that provides blacklist but I see some free list.
I am assuming since we do not pay for a service, I have to download a CSV and compare that way.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-05-2019 04:32 PM

There is an app for that called Getwatchlist Add-on for Splunk Enterprise:
https://splunkbase.splunk.com/app/635/

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-27-2019 07:54 AM

Hi nebblkshts,
You have to load csv in a lookup (called e.g. ip_blacklist.csv) and then use a search like this:

index=my_index [ | inputlookup ip_blacklist.csv | fields source_ip ]
| stats count BY source_ip

put attention to the fieldname between logs and lookup: they must be the same, if they are different, in the subsearch you have to insert a rename.

Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-27-2019 11:46 PM

Hi nebblkshts,
if you're satisfied by this answer, please accept and/ot upvote it.
Bye, see at next time.
Giuseppe

0 Karma
Reply

nebblkshts
New Member
‎06-27-2019 10:38 AM

Thank you, that worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...