Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Automatically Get Lookup Table with Universal Forwarder

ltrand
Contributor
‎12-12-2014 01:14 PM

Hello Splunk Verse,

I was wondering if anyone could help solve a configuration challenge? My system admin's are wanting to index login-logout data to Splunk, (easy & done), and we want to index a lookup table that the application will generate on the remote host. We would like this to be picked up by UF and then properly put into a global lookup table. This file will store application/login metadata. It will be utilized to validate that login's aren't abused. (So use the lookup table to define allowed login locations & reverse match against the actual logs).

I can't find in the documentation how to configure UF to grab the file & index it to a lookup table. Can anyone help?

Thanks!

0 Karma
Reply

lguinn2
Legend
‎12-12-2014 02:03 PM

You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.

  1. You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.

  2. OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.

There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...