I am using the threat intelligence lookup files from the Splunk App for Enterprise Security and the lookup file (e.g. threatintel_by_domain) is giving an error when it is not used after table.
index=* sourcetype=bluecoat | table cs_host user | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=*
index=* sourcetype=bluecoat | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user
gives error saying The lookup table 'threatintel_by_domain.csv' does not exist or is not available.
All my custom lookup files work without table, but all the lookups in threatintel does not work without table. I've checked the permission and they are all global so it is not an issue with permission.
You are referencing the lookup by filename but you need to be referencing it by definition. Go to Settings -> Lookup -> Lookup definitions and select the ES app (or "All") in "App Context" and search for threatintel_by_domain.csv in the search box. It will identify the Lookup definition that is associated with that table. When I did this, I found one that it is called threatintel_by_domain. Swap out this value in your search like this:
index=* sourcetype=bluecoat | lookup threatintel_by_domaindomain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user