Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: searching and alerting on ip_intel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hbfblueteam
New Member
05-04-2020
09:54 PM
Hi,
Does anyone know if there is an efficient way to incorporate ip_intel into a search/query. I want to set up an alert using a particular ip_intel feed for a specific index to notify me when there is traffic from high-risk IP addresses.
Currently trying the below but I get no results (saw the below as another answer but cannot get it to work)
index=reverse_proxy [|inputlookup ip_intel | return ip] | where ip=src
note: "src" is the the field name in which the IP is parsed for my index
Cheers
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
05-05-2020
04:33 AM
Hi,
Please try below query
index=reverse_proxy
| lookup ip_intel ip as src OUTPUT threat_key
| where isnotnull(threat_key)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
05-05-2020
04:33 AM
Hi,
Please try below query
index=reverse_proxy
| lookup ip_intel ip as src OUTPUT threat_key
| where isnotnull(threat_key)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hbfblueteam
New Member
05-05-2020
05:48 PM
Thank you, that has given me some results
Regards,
Marko
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-04-2020
10:22 PM
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return
<count>
Syntax: <int>
Description: Specify the number of rows.
Default: 1, which is the first row of results passed into the command.
see reference.
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
