Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How is the outputlookup command is configured?

splunkettes
Path Finder
‎08-04-2020 08:40 AM

Does anyone know how the outputlookup command is configured? commands.conf does not reference a python script for it. I want to change how new files are created so that they are private and assigned to an owner. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkettes
Path Finder
‎08-08-2020 12:38 PM

Decided to resolve the issue by creating a custom command to reassign lookup files from nobody to their proper owner based on results of splunk search. 

View solution in original post

Reply
Solved! Jump to solution
Solution

splunkettes
Path Finder
‎08-08-2020 12:38 PM

Decided to resolve the issue by creating a custom command to reassign lookup files from nobody to their proper owner based on results of splunk search. 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2020 09:44 AM
Outputlookup is a built-in command without an external Python script.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkettes
Path Finder
‎08-04-2020 03:39 PM

Thanks @richgalloway for your response. I was wondering if there is a way to modify Splunk's built in commands or at least override them with my own process. I have  a custom command that I have created that does what I want the outputlookup command to do but it would require all users to use the new command. Ideally, I would allow users to continue with the outputlookup command but change how it functions so that new files are stored in the etc/<user>/<app>/lookups directory instead of the etc/<app>/lookups directory. 

0 Karma
Reply
Solved! Jump to solution

aayushisplunk1
Path Finder
‎12-26-2022 05:55 AM

Hi @splunkettes 

Please guide how you created the custom search command similar to outputlookup command. 

 

0 Karma
Reply
Solved! Jump to solution

sftr
Observer
‎04-20-2022 05:52 AM

 

For your use case, this configuration appears to be available from within the limits.conf file:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Boutputlookup.5D

 

[outputlookup]
create_context = user

 

per the documentation:

[outputlookup]
create_context = [app|[user|system]
* Specifies the context where the lookup file will be created for the first time.
  If there is a current application context and the following options,
  file will be created under:
  * app    : etc/apps/<app>/lookups
  * user   : etc/users/<user>/<app>/lookups
  Otherwise, file will be created under:
  * system : etc/system/local/lookups
* Default: app

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2020 04:47 PM

There's no way to override a built-in command.  Your users will have to learn to use myoutputlookup just as they once learned to use outputlookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...