Dashboards & Visualizations

Private Lookup table creation by REST API

sumangala
Path Finder

As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table.
I have created Lookup table by:
curl -k -u username:pwd https://localhost:8089/servicesNS/nobody/*appname*/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/april.csv' -d 'name=12_april_lookup.csv'
This created '12_april_lookup.csv' file inside .../my_app/lookup/ folder. This Lookup table permission is private at this point.

But,
When I add some data to Lookup table by below search command:
| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True
then file will get created in other app folder with become global permission. Now all user can view file content by
|inputlookup 12_april_lookup.csv

Can anyone help me to resolve this?

Tags (1)
0 Karma

jonmargulies
Path Finder

Hi Sumangala,

What app are you in when you run "| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True"? If it isn't the same app where you created the initial lookup, Splunk will create a new lookup in the app in which you ran that "| makeresults..." query.

All you should have to do to fix this is switch over to appname in SplunkWeb and run the query again.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you specifying an app context when you append data? Have you tried lowercase 'true' instead of True on createinapp? The documentation says lowercase but doesn't say it must be lowercase but in code we have to interpret your input somehow... Sometimes we expect you may use , 1, T, true, TRUE, True, tRuE... Sometimes we don't 😉

0 Karma

sumangala
Path Finder

Hi,
Thank u for your response.
Ya. Today morning I got to know mistake I was doing. Actually I have created custom splunk app, which doesn't have search window. By default other app was set for search. So all my lookup tables were created in other app folder.
Currently,
I have facing problem in creating lookup table at lookup stage area ('/opt/splunk/var/run/splunk/lookup_tmp/') as its owner and group owner is splunk. Other users are not allowed to create lookup table at this folder.
I have searched many answer for this. As there is no REST API to create lookup table at stage area.
How can user create csv file at lookup stage?
Currently I am creating with changing folder owner from splunk to username. But this is not a correct way.
Can u guide me through ?

0 Karma

jonmargulies
Path Finder

What are you ultimately trying to accomplish? I only ask because I can't think of any reason you would need to create a lookup table manually in /opt/splunk/var/run/splunk.

0 Karma

sumangala
Path Finder

Hi,
I have to create private lookup table for individual users, such that none other users can view each other lookup table. This private lookup table I could able to create by this REST API.

curl -k -u username:pwd https://localhost:8089/servicesNS/username/app_name/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/user_tmp_lookup.csv' -d 'name=user_april.csv'
With this I could able to create lookup table for individual user. This will create 'user_tmp_lookup.csv' inside '/opt/splunk/etc/users/username/app_name/lookup/'.

But, before this 'user_tmp_lookup.csv' should be present in lookup staging area. i.e. at this location '/opt/splunk/var/run/splunk/lookup_tmp/user_tmp_lookup.csv'. This I am doing manually, How can I create lookup at staging area?

0 Karma

jkat54
SplunkTrust
SplunkTrust

so then my answer regarding if you were specifying the app context was correct for your original question. Please mark an answer as the answer and open a new question concerning the "lookup stage area".

Thanks,
jkat54

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...