Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Use generic intelligence in search with inputintelligence

After you add generic intelligence to Splunk Enterprise Security, you can use the inputintelligence command to make use of the intelligence. See Add generic intelligence to Splunk Enterprise Security.

Description

Use the inputintelligence command to add intelligence from the threatlist directory to your search results. When downloaded, generic intelligence is parsed and stored in the $SPLUNK_DB/modinputs/threatlist$ directory.

Syntax

| inputintelligence <threatlist_stanza_name> [fields=<string>] [delim_regex=<string>] [extract_regex=<string>] [ignore_regex=<string>] [skip_header_lines=<int>] [include_raw=<bool>] [append=<bool>] [no_parse=<bool>]

Required arguments

threatlist_stanza_name

Syntax: <string>
Description: The stanza of the intelligence download. Matches the Name field on the Intelligence Downloads page. You can include multiple stanza names in your search. See Download an intelligence feed from the Internet in Splunk Enterprise Security.

Optional arguments

fields

Syntax: <string>
Description: Overrides the default fields setting for the intelligence download defined in the Intelligence Download page. Required if your document is line-delimited. Comma-separated list of fields to be extracted from the intelligence list. Can also be used to rename or combine fields. Description is a required field. Additional acceptable fields are the fields in the corresponding KV Store collection for the threat intelligence, visible in the local lookup files or the DA-ESS-ThreatIntelligence/collections.conf file. Defaults to description:$1,ip:$2.

delim_regex

Syntax: <string>
Description: Overrides the default delimiting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression string used to split, or delimit, lines in an intelligence source. For complex delimiters, use an extracting regular expression.

extract_regex

Syntax: <string>
Description: Overrides the default extracting regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to extract fields from individual lines of an intelligence source document. Use to extract values in the intelligence source.

ignore_regex

Syntax: <string>
Description: Overrides the default ignore regular expression setting for the intelligence download defined in the Intelligence Download page. A regular expression used to ignore lines in an intelligence source. Defaults to ignoring blank lines and comments that begin with #.

skip_header_lines

Syntax: <int>
Description: Overrides the default skip header lines setting for the intelligence download defined in the Intelligence Download page. The number of header lines to skip when processing the intelligence source.
Default: 0

include_raw

Syntax: <bool>
Description: If 1, t, or true, adds the original line content to an additional column called raw.
Default: 0

append

Syntax: <bool>
Description: If 1, t, or true, appends the results of the inputintelligence command to an existing set of search results instead of replacing it.
Default: 0

no_parse

Syntax: <bool>
Description: If 1, t, or true all other options are ignored and the raw contents of the intelligence file is returned one line per row.
Default: 0

Usage

The inputintelligence command is a transforming command.

Examples

1. View the top one million sites

View the top one million sites according to Cisco.

inputintelligence cisco_top_one_million_sites

2. Further examples

See Example: Add a generic intelligence source to Splunk Enterprise Security.

See also

inputlookup

PREVIOUS
Download an intelligence feed from the Internet in Splunk Enterprise Security
  NEXT
Example: Add a generic intelligence source to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters