I would like to use wildcard with ‘url’ column in order to add to the correlation search lines like:
| lookup malware_domain_whitelist url OUTPUT whitelisted
| search NOT whitelisted=”true”
I have two questions please:
First: if I understood correctly, I have to modify the transform.conf. But should I modify transform.conf on $SPLUNK_HOME/etc/system/default/ or should I create a copy on $SPLUNK_HOME/etc/system/local/?
Second: I’m not exactly sure about the modification I should write. Could you please correct the mistakes: