Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Watchlist Lookup

opsec
New Member
‎10-01-2012 09:12 AM

Hello, we need help setting up an ongoing query against a watchlist of suspicious IP addresses. We have made the following config changes so far with no results:

  1. created a .CSV file in $SPLUNKroot\etc\apps\search\lookups (see sample contents below)

    bad_ip,suspicious
    X.X2.12.12,1
    X.X3.12.13,1
    X.X4.191.4,1
    X.X5.191.14,1

  2. create the following props.conf; and transform.conf in \search\local\

props.conf

[cisco_asa]
LOOKUP-watch = sampl_watchlist bad_ip AS src

transforms.conf

[sampl_watchlist]
filename = sampl_watchlist.csv

Basically, how can we run our firewall logs against the watch list and alert on all matches. Thanks.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎10-02-2012 03:53 PM

This should do it:

sourcetype=cisco_asa suspicious=1

because you defined an automatic lookup in props.conf

BTW, I would add the following to transforms.conf

min_matches = 1
default_match = "no match"

which will let you do other interesting searches, too.

0 Karma
Reply
Related Topics
IP Watchlist Lookup
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...