I'm having problems to use a lookup file as a whitelist. Basically, I have a simple ip address list with CIDR mask appended like:
So I uploaded it as PANDOSexceptions.csv, then i defined a stanza in transforms.conf as:
[PAN_DOS_exceptions] filename=PAN_DOS_exceptions.csv min_matches = 1 default_match = NONE match_type = CIDR(ip_address)
Then I used https://my-splunk-server:8000/en-US/debug/refresh to reload the transforms.conf so when I execute the following search:
index="pan_logs" sourcetype=pan_threat log_subtype=flood | NOT [lookup PAN_DOS_exception ip_address AS src_ip]
It returns every entry without filtering the lookup table. The idea is to exclude from the result those ip addresses that are in the lookup table.
Try something like this.
index="pan_logs" sourcetype=pan_threat log_subtype=flood NOT [ | inputlookup PAN_DOS_exception.csv | rename ip_address AS src_ip | table src_ip | format]
Hope it helps.