Dashboards & Visualizations

Private Lookup table creation by REST API

sumangala
Path Finder

As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table.
I have created Lookup table by:
curl -k -u username:pwd https://localhost:8089/servicesNS/nobody/*appname*/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/april.csv' -d 'name=12_april_lookup.csv'
This created '12_april_lookup.csv' file inside .../my_app/lookup/ folder. This Lookup table permission is private at this point.

But,
When I add some data to Lookup table by below search command:
| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True
then file will get created in other app folder with become global permission. Now all user can view file content by
|inputlookup 12_april_lookup.csv

Can anyone help me to resolve this?

Tags (1)
0 Karma

jonmargulies
Path Finder

Hi Sumangala,

What app are you in when you run "| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True"? If it isn't the same app where you created the initial lookup, Splunk will create a new lookup in the app in which you ran that "| makeresults..." query.

All you should have to do to fix this is switch over to appname in SplunkWeb and run the query again.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you specifying an app context when you append data? Have you tried lowercase 'true' instead of True on createinapp? The documentation says lowercase but doesn't say it must be lowercase but in code we have to interpret your input somehow... Sometimes we expect you may use , 1, T, true, TRUE, True, tRuE... Sometimes we don't 😉

0 Karma

sumangala
Path Finder

Hi,
Thank u for your response.
Ya. Today morning I got to know mistake I was doing. Actually I have created custom splunk app, which doesn't have search window. By default other app was set for search. So all my lookup tables were created in other app folder.
Currently,
I have facing problem in creating lookup table at lookup stage area ('/opt/splunk/var/run/splunk/lookup_tmp/') as its owner and group owner is splunk. Other users are not allowed to create lookup table at this folder.
I have searched many answer for this. As there is no REST API to create lookup table at stage area.
How can user create csv file at lookup stage?
Currently I am creating with changing folder owner from splunk to username. But this is not a correct way.
Can u guide me through ?

0 Karma

jonmargulies
Path Finder

What are you ultimately trying to accomplish? I only ask because I can't think of any reason you would need to create a lookup table manually in /opt/splunk/var/run/splunk.

0 Karma

sumangala
Path Finder

Hi,
I have to create private lookup table for individual users, such that none other users can view each other lookup table. This private lookup table I could able to create by this REST API.

curl -k -u username:pwd https://localhost:8089/servicesNS/username/app_name/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/user_tmp_lookup.csv' -d 'name=user_april.csv'
With this I could able to create lookup table for individual user. This will create 'user_tmp_lookup.csv' inside '/opt/splunk/etc/users/username/app_name/lookup/'.

But, before this 'user_tmp_lookup.csv' should be present in lookup staging area. i.e. at this location '/opt/splunk/var/run/splunk/lookup_tmp/user_tmp_lookup.csv'. This I am doing manually, How can I create lookup at staging area?

0 Karma

jkat54
SplunkTrust
SplunkTrust

so then my answer regarding if you were specifying the app context was correct for your original question. Please mark an answer as the answer and open a new question concerning the "lookup stage area".

Thanks,
jkat54

0 Karma
Get Updates on the Splunk Community!

tag as datamodel attribute

I'm confused a bit. I use CIM datamodels.The "tag" field is both a filter for choosing events applicable to a ...

Running multiple macros in the same search

Hi all!I'm trying to run multiple macros in the same search and eventually aggregate the results from each ...

Index with one sourcetype - search performance / best practices

Hello,I have created a few indexes, each containing data only from one source with one sourcetype.<BR />From a ...