All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a log of modifications of each lookup table for auditing of lookup table changes?

hammonaj
New Member
‎10-03-2017 09:07 AM

We have several lookup tables that are updated frequently. Is there a log recording who makes a modification to each lookup table?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2017 12:58 PM

How do you update your lookup files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hammonaj
New Member
‎10-04-2017 10:35 AM

Through "The Lookup Updater" in Sideview Utils.

0 Karma
Reply

hammonaj
New Member
‎10-03-2017 10:54 AM

I have found a slight workaround. When "Delete" is clicked in "The Lookup Updater" a webcall is made that performs a search. The search looks like this:

search:| inputlookup test.csv| eval zomgItsOurRow=if(GroupName=="Test_Group","1","0")| streamstats count(eval(zomgItsOurRow==1)) as zomgHaveWeMatchedYet| eval zomgItsOurRow=if(zomgHaveWeMatchedYet<2,zomgItsOurRow,0)| fields - zomgHaveWeMatchedYet| search NOT zomgItsOurRow=1 | fields - zomgItsOurRow | outputlookup test.csv

I then simply looked at index=_audit for this search being performed. It includes the user, time, and entry that they removed.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...