Getting Data In

Automatically Get Lookup Table with Universal Forwarder

ltrand
Contributor

Hello Splunk Verse,

I was wondering if anyone could help solve a configuration challenge? My system admin's are wanting to index login-logout data to Splunk, (easy & done), and we want to index a lookup table that the application will generate on the remote host. We would like this to be picked up by UF and then properly put into a global lookup table. This file will store application/login metadata. It will be utilized to validate that login's aren't abused. (So use the lookup table to define allowed login locations & reverse match against the actual logs).

I can't find in the documentation how to configure UF to grab the file & index it to a lookup table. Can anyone help?

Thanks!

0 Karma

lguinn2
Legend

You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.

  1. You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.

  2. OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.

There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...