Getting Data In

Automatically Get Lookup Table with Universal Forwarder


Hello Splunk Verse,

I was wondering if anyone could help solve a configuration challenge? My system admin's are wanting to index login-logout data to Splunk, (easy & done), and we want to index a lookup table that the application will generate on the remote host. We would like this to be picked up by UF and then properly put into a global lookup table. This file will store application/login metadata. It will be utilized to validate that login's aren't abused. (So use the lookup table to define allowed login locations & reverse match against the actual logs).

I can't find in the documentation how to configure UF to grab the file & index it to a lookup table. Can anyone help?


0 Karma


You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.

  1. You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.

  2. OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.

There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.