icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Getwatchlist Add-on for Splunk Enterprise
SHA256 checksum (getwatchlist-add-on-for-splunk-enterprise_10.tgz) 83fc5f41130749fa0e3f5801748b6d6b8465a0417a3acec2d24a9ee801e035d4 SHA256 checksum (getwatchlist-add-on-for-splunk-enterprise_09.tgz) 24cd9dff138008f085bf036a23da1927c600222a5c000fc85a98f4275f5e5136 SHA256 checksum (getwatchlist-add-on-for-splunk-enterprise_07.tgz) 656aa7f3a6b23cbd9d671513dd8d6aab7aa2a0c47f71186e4f2b7e422b249af8
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Getwatchlist Add-on for Splunk Enterprise

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Getwatchlist is a custom search command for Splunk which will return a CSV formatted list from a URL. This is useful for creating lookup tables and keeping them up to date from external or internal sources. These watchlists can contain virtually anything such as domain names, IP addresses, host names, email addresses, filenames, etc. and can then be used in searches against your events. These watchlists can be in any delimited format (tab, comma, space, etc.).

NOTE: If you were using a previous version, please make sure to read about the changes in the configuration file locations, and backup any custom configurations you may have prior to upgrading!


This custom command has been tested on Splunk 5 and higher. If you want to pull down lists off of the internet, your search head will need to have internet access.


To install, copy the downloaded tarball to the SPLUNK_HOME/etc/apps directory and expand. This will create a directory named getwatchlist which contains the sample configuration file, the command.conf to enable the command, as well as permissions to enable usage of the command globally in Splunk. Splunk will need to be restarted for the new application and configuration to take.


Options for getwatchlist can be supplied via the search options passed in the search box, a configuration file, or a combination of the two.

The first argument passed to getwatchlist is the URL of the watchlist or the name of a profile in the configuration file. If a profile exists, it will be loaded first, and then options passed via the search command will be used to overwrite the stored settings.

Options are passed in a "key=value" fashion. Arguments that are passed and are not known arguments will be appended as custom fields. So if I add a field of:
Each line of the CSV which is returned will have a column named "spam", with a value of "tasty".

If there are additional columns in the list which you would like to be output as well, you can tell the command which column, and what the name if it should be. To do this, use an integer (the column number you would like to include), and give it a name for the column. To to include column 3 of a list, and name the column "enddate", you would add:
To your command parameters or configuration.

Here are options which can be passed, or used in the configuration file:

categoryCol: The column number of any category field in the fetched file.

comment (default: #): The character which is used to denote a commented out line .

dateCol: The column number of any date field in the file which you would like to use for reference.

delimiter (default: \t): The delimiter field of the fetched file .

ignoreFirstLine (default: False): Some watchlists contain a header which is not commented out. If this is set to "True" this line
will be ignored.

relevantFieldCol (default: 1): The column number (starting at 1) which contains the key value you would like to use .

relevantFieldName (default: ip_address): What you would like the field to be named in the CSV output (not the name in the fetched CSV) .

referenceCol: The column number of any reference field in the fetched CSV.

url: The URL of the file to be retrieved (HTTP, HTTPS or FTP).

authUser: Username to use for authentication (HTTP Basic or FTP)

authPassword: Password to use for authentication (HTTP Basic or FTP)

proxyHost: Hostname or IP of the HTTP proxy to be used for HTTP and HTTPS connections

proxyPort: Port for the HTTP proxy

Configuration File

Configurations are kept in files named getwatchlist.conf. An example of this file is in the /default/ directory of the application. It contains example profiles which are ready to use.

Any custom configuration items in the /local/ version of the .conf file will override or add on to any settings in the /default/ file, much like normal Splunk configuration.

Additionally, settings entered via the search command will override both the /default/ and /local/ settings.

The "globals" section of the configuration file can be used for proxy configuration. By using the globals section, the command will use those settings by default, but can be overridden using command or profile settings.


Splunk Searches to output a watchlist

Malware Domains
| getwatchlist http://mirror1.malwaredomains.com/files/domains.txt relevantFieldName="domain" relevantFieldCol=3 categoryCol=4 referenceCol=5 dateCol=6 isbad=true

Zeus tracker IP list
| getwatchlist http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist

DShield recommended block list
| getwatchlist http://feeds.dshield.org/block.txt relevantFieldName='rangestart' ignoreFirstLine=True referenceCol=5

Spamhaus DROP list
|getwatchlist http://www.spamhaus.org/drop/drop.lasso delimiter=; relevantFieldName='sourceRange' relevantFieldCol=1 referenceCol=2 ignoreFirstLine=True

Configuration File Examples

Examples can be found in the /default/getwatchlist.conf

Splunk Searches using saved lookups

Using a subsearch from the CSV: index="webproxy" [|inputlookup phishtank.csv | fields uri]
Using a configured lookup: index="webproxy" | lookup phishtank uri | search isbad=true

Release Notes

Version 1.0
Aug. 16, 2011

- Better error handling and output in Splunk
- The ability to add values from other columns in the fetched list.
- The configuration file has been made more Splunk-like. An example file is in /default/ and custom profiles or configs can be added to a getwatchlist.conf in the /local/ directory.
- The URL for Malware Domains has been updated as from 8/1/11 the domains.txt file will only be available from mirrors
- Note that a potential security vulnerability was found in version 0.7. Users are urged to update.

Version 0.9
May 23, 2011

Support for proxies (proxyHost, proxyPort)
Support for HTTP and FTP authentication (authUser, authPass)
Changed to urllib2 from urllib
Update configuration file examples
Bug causing case sensitivity in search command parameters

Version 0.7
May 11, 2011

First public release.


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.