Hi Team,
I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is
index=firewall[| inputlookup iblocklist_tor.csv]
but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.
Thanks!
Vinod Yadav
... View more