In this recipe, you identified the clients associated with web requests that have a status code of 403 over the past 7 days and wrote these IP addresses to a lookup file. Status code 403 means the clientip address in question has attempted to access something that is forbidden. When writing the lookup, you evaluated a new field called suspect and gave every entry a value of 1. This suspect field will be used as a flag to filter data later on.

When the initial search is executed, it leverages the outputlookup command, which writes data to a lookup file that you specify in the search (in this case, a file called suspect_ips.csv).

The outputlookup command takes several arguments, as shown in the following table: