As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table.
I have created Lookup table by:
curl -k -u username:pwd https://localhost:8089/servicesNS/nobody/*appname*/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/april.csv' -d 'name=12_april_lookup.csv'
This created '12_april_lookup.csv' file inside .../my_app/lookup/ folder. This Lookup table permission is private at this point.
When I add some data to Lookup table by below search command:
| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True
then file will get created in other app folder with become global permission. Now all user can view file content by
Can anyone help me to resolve this?
What app are you in when you run "| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True"? If it isn't the same app where you created the initial lookup, Splunk will create a new lookup in the app in which you ran that "| makeresults..." query.
All you should have to do to fix this is switch over to appname in SplunkWeb and run the query again.
Are you specifying an app context when you append data? Have you tried lowercase 'true' instead of True on createinapp? The documentation says lowercase but doesn't say it must be lowercase but in code we have to interpret your input somehow... Sometimes we expect you may use , 1, T, true, TRUE, True, tRuE... Sometimes we don't 😉
Thank u for your response.
Ya. Today morning I got to know mistake I was doing. Actually I have created custom splunk app, which doesn't have search window. By default other app was set for search. So all my lookup tables were created in other app folder.
I have facing problem in creating lookup table at lookup stage area ('/opt/splunk/var/run/splunk/lookup_tmp/') as its owner and group owner is splunk. Other users are not allowed to create lookup table at this folder.
I have searched many answer for this. As there is no REST API to create lookup table at stage area.
How can user create csv file at lookup stage?
Currently I am creating with changing folder owner from splunk to username. But this is not a correct way.
Can u guide me through ?
I have to create private lookup table for individual users, such that none other users can view each other lookup table. This private lookup table I could able to create by this REST API.
curl -k -u username:pwd https://localhost:8089/servicesNS/username/app_name/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/user_tmp_lookup.csv' -d 'name=user_april.csv'
With this I could able to create lookup table for individual user. This will create 'user_tmp_lookup.csv' inside '/opt/splunk/etc/users/username/app_name/lookup/'.
But, before this 'user_tmp_lookup.csv' should be present in lookup staging area. i.e. at this location '/opt/splunk/var/run/splunk/lookup_tmp/user_tmp_lookup.csv'. This I am doing manually, How can I create lookup at staging area?
so then my answer regarding if you were specifying the app context was correct for your original question. Please mark an answer as the answer and open a new question concerning the "lookup stage area".