Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to search whitelist lookup update?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for SPL which we can check the who can update the whitelist in lookup table and also the what changes are done , compare with previous one.
Thanks,
Sahil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following search will give you a list of lookups, who can read and who can edit them. These are based on roles, so you can see who has the access to the roles and that will give you an idea of who can edit the lookups in terms of users. For checking who edited the lookup, the closest that you can get is if you install the Splunk app for lookup file editing . It will give you an idea of who edited which lookup. Regarding comparing the changes, it is unfortunately not possible as of now via SPL. Lookup editor app however creates a backup of your last change, so if you have the app, you'll have to manually compare the lookups or do some Python scripting and create an app which will do it for you.
| rest/servicesNS/-/-/data/lookup-table-files
| table title eai:acl.perms.read eai:acl.perms.write
Once lookup editor app is installed, the following search will tell you who edited which lookup:
index=_internal "Lookup edited successfully" | table _time user namespace lookup_file
++If this helps, please consider accepting as an answer++
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just quick Question.
How to check the Lookup table version update via SPL.
I can see who edit the file, also need to check the Version history , Is there SPL we can see the details?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following search will give you a list of lookups, who can read and who can edit them. These are based on roles, so you can see who has the access to the roles and that will give you an idea of who can edit the lookups in terms of users. For checking who edited the lookup, the closest that you can get is if you install the Splunk app for lookup file editing . It will give you an idea of who edited which lookup. Regarding comparing the changes, it is unfortunately not possible as of now via SPL. Lookup editor app however creates a backup of your last change, so if you have the app, you'll have to manually compare the lookups or do some Python scripting and create an app which will do it for you.
| rest/servicesNS/-/-/data/lookup-table-files
| table title eai:acl.perms.read eai:acl.perms.write
Once lookup editor app is installed, the following search will tell you who edited which lookup:
index=_internal "Lookup edited successfully" | table _time user namespace lookup_file
++If this helps, please consider accepting as an answer++
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
