Getting Data In

How to search whitelist lookup update?

sahilmits
Engager

I am looking for SPL which we can check the who can update the whitelist in lookup table and also the what changes are done , compare with previous one.

 

Thanks,

Sahil

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

The following search will give you a list of lookups, who can read and who can edit them. These are based on roles, so you can see who has the access to the roles and that will give you an idea of who can edit the lookups in terms of users. For checking who edited the lookup, the closest that you can get is if you install the Splunk app for lookup file editing . It will give you an idea of who edited which lookup. Regarding comparing the changes, it is unfortunately not possible as of now via SPL. Lookup editor app however creates a backup of your last change, so if you have the app, you'll have to manually compare the lookups or do some Python scripting and create an app which will do it for you. 

| rest/servicesNS/-/-/data/lookup-table-files
| table title eai:acl.perms.read eai:acl.perms.write


Once lookup editor app is installed, the following search will tell you who edited which lookup:

index=_internal "Lookup edited successfully" | table _time user namespace lookup_file


++If this helps, please consider accepting as an answer++ 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

0 Karma

sahilmits
Engager

Just quick Question.

 

How to check the Lookup table version update via SPL.

 

I can see who edit the file, also need to check the Version history , Is there SPL we can see the details?

 

 

0 Karma

shivanshu1593
Builder

The following search will give you a list of lookups, who can read and who can edit them. These are based on roles, so you can see who has the access to the roles and that will give you an idea of who can edit the lookups in terms of users. For checking who edited the lookup, the closest that you can get is if you install the Splunk app for lookup file editing . It will give you an idea of who edited which lookup. Regarding comparing the changes, it is unfortunately not possible as of now via SPL. Lookup editor app however creates a backup of your last change, so if you have the app, you'll have to manually compare the lookups or do some Python scripting and create an app which will do it for you. 

| rest/servicesNS/-/-/data/lookup-table-files
| table title eai:acl.perms.read eai:acl.perms.write


Once lookup editor app is installed, the following search will tell you who edited which lookup:

index=_internal "Lookup edited successfully" | table _time user namespace lookup_file


++If this helps, please consider accepting as an answer++ 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...