<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Automatically Get Lookup Table with Universal Forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Automatically-Get-Lookup-Table-with-Universal-Forwarder/m-p/150322#M30554</link>
    <description>&lt;P&gt;You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;&lt;P&gt;You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.&lt;/P&gt;&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.&lt;/P&gt;</description>
    <pubDate>Fri, 12 Dec 2014 22:03:02 GMT</pubDate>
    <dc:creator>lguinn2</dc:creator>
    <dc:date>2014-12-12T22:03:02Z</dc:date>
    <item>
      <title>Automatically Get Lookup Table with Universal Forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatically-Get-Lookup-Table-with-Universal-Forwarder/m-p/150321#M30553</link>
      <description>&lt;P&gt;Hello Splunk Verse,&lt;/P&gt;

&lt;P&gt;I was wondering if anyone could help solve a configuration challenge?  My system admin's are wanting to index login-logout data to Splunk, (easy &amp;amp; done), and we want to index a lookup table that the application will generate on the remote host.  We would like this to be picked up by UF and then properly put into a global lookup table.  This file will store application/login metadata.  It will be utilized to validate that login's aren't abused.  (So use the lookup table to define allowed login locations &amp;amp; reverse match against the actual logs).&lt;/P&gt;

&lt;P&gt;I can't find in the documentation how to configure UF to grab the file &amp;amp; index it to a lookup table.  Can anyone help?&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Fri, 12 Dec 2014 21:14:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatically-Get-Lookup-Table-with-Universal-Forwarder/m-p/150321#M30553</guid>
      <dc:creator>ltrand</dc:creator>
      <dc:date>2014-12-12T21:14:58Z</dc:date>
    </item>
    <item>
      <title>Re: Automatically Get Lookup Table with Universal Forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatically-Get-Lookup-Table-with-Universal-Forwarder/m-p/150322#M30554</link>
      <description>&lt;P&gt;You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;&lt;P&gt;You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.&lt;/P&gt;&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.&lt;/P&gt;</description>
      <pubDate>Fri, 12 Dec 2014 22:03:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatically-Get-Lookup-Table-with-Universal-Forwarder/m-p/150322#M30554</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2014-12-12T22:03:02Z</dc:date>
    </item>
  </channel>
</rss>

