- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
test_qweqwe
Builder
10-23-2017
05:56 AM
We have this config:
[threatlist://ransomware_ip_blocklist]
delim_regex = :
description = abuse.ch Ransomware Blocklist
disabled = false
fields = ip:$1,description:Ransomware_ip_blocklist
type = threatlist
url = https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
Why we wrote there $1? What it's mean? (Yes, it's mean IP, it's regular that will pars all IP?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
esix_splunk
Splunk Employee
10-23-2017
06:01 AM
$1 is the value for the ip field. Refer to documentation here : http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Downloadthreatfeed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
esix_splunk
Splunk Employee
10-23-2017
06:01 AM
$1 is the value for the ip field. Refer to documentation here : http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Downloadthreatfeed