The lookup is local_ip_intel and it contains IP addresses and descriptions
In the Threat intelligence audit dashboard the download status is blank.

The source field is correctly mapped to the CIM

The threat list "local_ip_intel" does not appear when I execute
| inputlookup threatintel_by_cidr

So I assume I need the content from the new lookup "local_ip_intel" to end up in the "threatintel_by_cdr" lookup. and if so how is it supposed to get there?

I notice when you upload a new threat list it places it in the local/data/threat_intel dir in the app.
Are the threat lists supposed to live there? these ones are currently in the lookup dir
What is the standard for these threat lists, the documentation is not that clear.

Just to be sure, you configured the local input in ES here: Data inputs » Threat Intelligence Management » local_lookups ?

Under threat intelligence management it looks like this

Name Directory
da_ess_threat_default $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/default/data/threat_intel
da_ess_threat_local $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel
local_lookups ignored
sa_threat_local $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel

The lookups in question are currently in the app/lookups dir

The events that I am trying to get picked up into the "threat_activity" index are watchguard logs like this:
Apr 10 13:32:11 -FB-02 *1016F5DC (2018-04-10T03:32:11) http-proxy[2256]: msg_id="1AFF-0024" Allow 2-Inside 5-Uecomm10 tcp 172...* 212...* 51153 80 msg="HTTP request" proxy_act="HTTP-Client.3" op="GET" dstname="api.wipmania.com" arg="/jsonp?callback=jQuery191009073215578267857_1523331069485&_=1523331069486" sent_bytes="442" rcvd_bytes="602" elapsed_time="0.657724 sec(s)" app_id="128" app_cat_id="13" app_name="Microsoft Edge" app_cat_name="Web services" reputation="1" reason="262189" action="allow" (HTTP-proxy-00)