Hello, we need help setting up an ongoing query against a watchlist of suspicious IP addresses. We have made the following config changes so far with no results:

1. created a .CSV file in $SPLUNKroot\etc\apps\search\lookups (see sample contents below)

   bad_ip,suspicious
   X.X2.12.12,1
   X.X3.12.13,1
   X.X4.191.4,1
   X.X5.191.14,1

2. create the following props.conf; and transform.conf in \search\local\

props.conf

[cisco_asa]
LOOKUP-watch = sampl_watchlist bad_ip AS src

transforms.conf

[sampl_watchlist]
filename = sampl_watchlist.csv

Basically, how can we run our firewall logs against the watch list and alert on all matches. Thanks.