Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Automatically Get Lookup Table with Universal Forwarder

ltrand
Contributor
‎12-12-2014 01:14 PM

Hello Splunk Verse,

I was wondering if anyone could help solve a configuration challenge? My system admin's are wanting to index login-logout data to Splunk, (easy & done), and we want to index a lookup table that the application will generate on the remote host. We would like this to be picked up by UF and then properly put into a global lookup table. This file will store application/login metadata. It will be utilized to validate that login's aren't abused. (So use the lookup table to define allowed login locations & reverse match against the actual logs).

I can't find in the documentation how to configure UF to grab the file & index it to a lookup table. Can anyone help?

Thanks!

0 Karma
Reply

lguinn2
Legend
‎12-12-2014 02:03 PM

You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.

  1. You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.

  2. OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.

There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...