Follow the steps in this recipe to create a lookup table of potentially malicious IP addresses:
- Log in to your Splunk server.
- Select the Operational Intelligence application.
- In the search bar, enter the following search over a time range of Last 7 days, and hit Enter or click on the search icon to execute the search:
index=main sourcetype="access_combined" status=403 | stats count by clientip | eval suspect="1" | outputlookup createinapp=true suspect_ips.csv
- A tabulated list of IPs that contain the three columns of clientip, count, and suspect will be displayed. Click on the Save as link and select Report:
- Enter cp07_suspect_ips ...