I inputlookup ip_spywarelist.csv | eval ip_range=split(ip,"-") | eval start_ip=mvindex(ip_range, 0), end_ip=mvindex(ip_range, 1) | eval start_ip_long=tonumber(split(start_ip,"\\.")[3]) | eval end_ip_long=tonumber(split(end_ip,"\\.")[3]) | eval ip_list=mvrange(start_ip_long,end_ip_long) | mvexpand ip_list | eval ip_address=substr(start_ip,1,strlen(start_ip) -length(start_ip_long)) | table ip_address Notes: When I run this query, I get "Unknown search command '3' (Please don't mind any typos, as I typed the query manually here). Why this query does NOT work?  The idea is to create a correlation search that would generate an alert if either the Src_ip or the dest_ip matches the IP within the IP range (in the ip field) . Since "ip_spywarelist.csv" has a field called "ip" that only contains IP ranges as values, I would like to search among all the IPs in each range not just the Start IP and end IP within the range (i.e: 2.60.13.132-2.60.13.137). I just wanted to verify if the query was working perfectly, before I include it in: index=* sourcetype=* [ | inputlookup ip_spywarelist.csv | ... The CSV file is provided by Splunk under "threat intel." The idea is to create a correlation search using that file which only provide the malicious IPs under IP range format.  ... View more

  Hello, I would like to request guidance on how to create a correlation search based on data provided by SANS Threat Intelligence from https://isc.sans.edu/block.txt The malicious IPs from "block.txt" are updated regularly. How can my correlation search track that change in real-time? What queries to use? Notes: The SANS Threat Intel has already been enabled.      ... View more