I'm still new to Splunk and trying to figure out the correct syntax for lookups.
My goal is to compare a list of known IPs associated with a botnet and see if there is any traffic to/from the IPs in the firewall logs.
index=firewall_logs sourcetype=cisco:asa [ | inputlookup bad_ips.csv | fields IP ]
This returns nothing. What else am I missing? Thanks in advance!
↧