We've got several threatlists running and I see that old threatlist information isn't properly cleaned. The max age is put on -1d but the data is still sometimes old and showing domains that have long been removed. How can you schedule a cleanup for this data?
See the documentation here. You need to enable a search to take action based on the max age setting: https://docs.splunk.com/Documentation/ES/5.1.1/Admin/Changethreatintel#Configure_threat_source_reten...
I've done this but somehow it still shows up in notables.
In |inputlookup ip_intel I can't find the domain but it's still getting matched, even though there's a max age and the retention searches have been scheduled and executed. The correlation search is looking in the data model threat_actvity which looks at ip_intel so I don't understand how it's still matching.