We are in process of migrating On-Premise Apps to Splunk Cloud.
There is one App in which few scripts are there which (by accessing local directory) updates the lookup files continuously to be used on Searchhead.
For this EITHER we can place the scripts on Local Universal Forwarders, where it will update the lookup files locally (by accessing cifs mounts) and then need to check if there's any mechanism by which these lookups file can be forwarded continuously to Splunk Cloud Searchhead from local forwarder OR the scripts to be placed directly on Cloud Searchhead.
Out of this the 2nd option won't work as scripts can't be placed over Cloud Searchhead as it access/needs the local filers (cifs) mount points to update the lookup file data.
So need to know if there is any mechanism by which the updated lookups file can be forwarded continuously from local Universal Forwarders to Splunk Cloud Searchhead?
Dear Splunk Professionals,
Here I am posting solution for my raised query only:
In order to get the lookups (going to be placed on Cloud Searchhead) updated regularly by pre-processing scripts placed in Universal/Business Forwarders locally, we need to follow below steps:
1) Basically will have to place the lookups in Universal/Business forwarders and then whenever it will get update by the pre-processing scripts, the same lookups can be ingested as an input to Universal Forwarders.
2) In order to achieve this, we need to first configure the lookups (placed in Universal Forwarders) as an input to Universal Forwarders by defining it under inputs.conf
3) Once configured, the lookups can be ingested to Splunk Cloud
4) We have to develop a search query using which on Cloud Searchhead will display the result of expected lookup and then the same search we need to pipe it to command called “outputlookup”. Using this “outputlookup” command, we can write the output of search query to a static lookup file. For more information on outputlookup command kindly refer below URL
5) With this command either the lookup file contents can be appended or the whole file can be replaced