Knowledge Management

How is the outputlookup command is configured?

splunkettes
Path Finder

Does anyone know how the outputlookup command is configured? commands.conf does not reference a python script for it. I want to change how new files are created so that they are private and assigned to an owner. 

Labels (1)
Tags (2)
0 Karma
1 Solution

splunkettes
Path Finder

Decided to resolve the issue by creating a custom command to reassign lookup files from nobody to their proper owner based on results of splunk search. 

View solution in original post

0 Karma

splunkettes
Path Finder

Decided to resolve the issue by creating a custom command to reassign lookup files from nobody to their proper owner based on results of splunk search. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Outputlookup is a built-in command without an external Python script.
---
If this reply helps you, an upvote would be appreciated.
0 Karma

splunkettes
Path Finder

Thanks @richgalloway for your response. I was wondering if there is a way to modify Splunk's built in commands or at least override them with my own process. I have  a custom command that I have created that does what I want the outputlookup command to do but it would require all users to use the new command. Ideally, I would allow users to continue with the outputlookup command but change how it functions so that new files are stored in the etc/<user>/<app>/lookups directory instead of the etc/<app>/lookups directory. 

0 Karma

sftr
Observer

 

For your use case, this configuration appears to be available from within the limits.conf file:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Boutputlookup.5D

 

[outputlookup]
create_context = user

 

per the documentation:

[outputlookup]
create_context = [app|[user|system] * Specifies the context where the lookup file will be created for the first time. If there is a current application context and the following options, file will be created under: * app  : etc/apps/<app>/lookups * user  : etc/users/<user>/<app>/lookups Otherwise, file will be created under: * system : etc/system/local/lookups * Default: app

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's no way to override a built-in command.  Your uses will have to learn to use myoutputlookup just as they once learned to use outputlookup.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...