Hello,
I am using the threat intelligence lookup files from the Splunk App for Enterprise Security and the lookup file (e.g. threatintel_by_domain) is giving an error when it is not used after table.
For example,
> index=* sourcetype=bluecoat | table cs_host user | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=*
works, but> index=* sourcetype=bluecoat | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user
gives error saying **The lookup table 'threatintel_by_domain.csv' does not exist or is not available.**
All my custom lookup files work without table, but all the lookups in threatintel does not work without table. I've checked the permission and they are all global so it is not an issue with permission.
Any suggestion?
↧