Automatically Get Lookup Table with Universal Forw...

ltrand · ‎12-12-2014

Hello Splunk Verse,

I was wondering if anyone could help solve a configuration challenge? My system admin's are wanting to index login-logout data to Splunk, (easy & done), and we want to index a lookup table that the application will generate on the remote host. We would like this to be picked up by UF and then properly put into a global lookup table. This file will store application/login metadata. It will be utilized to validate that login's aren't abused. (So use the lookup table to define allowed login locations & reverse match against the actual logs).

I can't find in the documentation how to configure UF to grab the file & index it to a lookup table. Can anyone help?

Thanks!

lguinn2 · ‎12-12-2014

You cannot forward data into a lookup table. Forwarded data goes into an index - there is no other choice.

You can use some other mechanism to place / update a CSV file in the Splunk indexers' lookup directory.
OR, you could send the data to a different index using Splunk. And then you could export that data (using a scheduled search) into a Splunk lookup table. Or you could write your searches differently, so that they use both indexes and not a lookup table.

There might be other options, but I can't think of them. Frankly, I would probably go with option #1 if I could.

Automatically Get Lookup Table with Universal Forwarder

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...