( as per https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Addthreatintelcustomlookup) . and are unable to use this intelligence list with the "inputintelligence" command. Also, we see error like "Failed to read threatlist /opt/splunk/var/lib/splunk/modinputs/threatlist/oculus"
Can I use "| inputintelligence" in the correlation search ?
| eval TOR="danme_tor_node_list_with_ports" | lookup "danme_tor_node_list_with_ports" ip as All_Traffic.src_ip OUTPUT ip name | where isnotnull(ip)
??? still does not work
you can only use "| inputintelligence" on non-threat intelligence...given it's a local lookup you can just use "| inputlookup" ?
