Splunk Search
Highlighted

outputlookup command not found

Explorer

Hello,

eventually I'm missing something, but I've searched quite a lot.
My Problem is that I cannot use outputlookup because I get the following error:
bash: outputlookup: Command not found.
I've tried to get a watchlist with the following command:
"getwatchlist http://amada.abuse.ch/blocklist.php?download=ipblocklist delimiter=# categoryCol=2 isbad=true | outputlookup amada.csv"
The getwatchlist doesn't work like this, but with a workaround (python getwatchlist.py ...)I get the data. But the real problem is that the outputlookup isn't recognized.
If I type it in the search filed in the Splunk Web Frontend it works, but not in the console where I have to run the other command (getwatchlist).
Am I missing something to get this working on console? Any help would be nice.

Thanks in advance

Peter

Tags (1)
0 Karma
Highlighted

Re: outputlookup command not found

SplunkTrust
SplunkTrust

Hey Peter,

From what you have said ("bash: outputlookup: Command not found."), it sounds like you are running getwatchlist from the shell. Getwatchlist will do this, but Splunk commands will not work. The command should be run from the Splunk web interface, via the search bar.

Here are some links that might help:

http://blogs.splunk.com/2011/08/16/getwatchlist-getting-watchlists-into-splunk-quickly-and-easily-wi...

and

http://blogs.splunk.com/2011/09/08/anonymous-proxies/

HTH,

Dave

Highlighted

Re: outputlookup command not found

Explorer

Hello again,

first: Thank you dshpritz, you've helped me to figure out what I'm missing.
second: For all who have the same HowTo and come to this post because the command didn't work.
The Command getwatchlist http://amada.abuse.ch/blocklist.php?download=ipblocklist delimiter=# categoryCol=2 isbad=true isn't getting something back, because the URI has canged. The new URI is http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist. There is also a DNS Version of the list. Have a look: https://zeustracker.abuse.ch/blocklist.php

Happy splunking 🙂

0 Karma
Highlighted

Re: outputlookup command not found

Explorer

Hello again,

first: Thank you dshpritz, you've helped me to figure out what I'm missing.
second: For all who have the same HowTo and come to this post because the command didn't work.
The Command getwatchlist http://amada.abuse.ch/blocklist.php?download=ipblocklist delimiter=# categoryCol=2 isbad=true isn't getting something back, because the URI has canged. The new URI is http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist. There is also a DNS Version of the list. Have a look: https://zeustracker.abuse.ch/blocklist.php

Happy splunking 🙂

0 Karma