All Apps and Add-ons

Is there a log of modifications of each lookup table for auditing of lookup table changes?

New Member

We have several lookup tables that are updated frequently. Is there a log recording who makes a modification to each lookup table?

0 Karma

SplunkTrust
SplunkTrust

How do you update your lookup files?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Through "The Lookup Updater" in Sideview Utils.

0 Karma

New Member

I have found a slight workaround. When "Delete" is clicked in "The Lookup Updater" a webcall is made that performs a search. The search looks like this:

search:| inputlookup test.csv| eval zomgItsOurRow=if(GroupName=="Test_Group","1","0")| streamstats count(eval(zomgItsOurRow==1)) as zomgHaveWeMatchedYet| eval zomgItsOurRow=if(zomgHaveWeMatchedYet<2,zomgItsOurRow,0)| fields - zomgHaveWeMatchedYet| search NOT zomgItsOurRow=1 | fields - zomgItsOurRow | outputlookup test.csv

I then simply looked at index=_audit for this search being performed. It includes the user, time, and entry that they removed.

0 Karma