Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How is the outputlookup command is configured?

splunkettes
Path Finder
‎08-04-2020 08:40 AM

Does anyone know how the outputlookup command is configured? commands.conf does not reference a python script for it. I want to change how new files are created so that they are private and assigned to an owner. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkettes
Path Finder
‎08-08-2020 12:38 PM

Decided to resolve the issue by creating a custom command to reassign lookup files from nobody to their proper owner based on results of splunk search. 

View solution in original post

Reply
Solved! Jump to solution
Solution

splunkettes
Path Finder
‎08-08-2020 12:38 PM

Decided to resolve the issue by creating a custom command to reassign lookup files from nobody to their proper owner based on results of splunk search. 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2020 09:44 AM
Outputlookup is a built-in command without an external Python script.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkettes
Path Finder
‎08-04-2020 03:39 PM

Thanks @richgalloway for your response. I was wondering if there is a way to modify Splunk's built in commands or at least override them with my own process. I have  a custom command that I have created that does what I want the outputlookup command to do but it would require all users to use the new command. Ideally, I would allow users to continue with the outputlookup command but change how it functions so that new files are stored in the etc/<user>/<app>/lookups directory instead of the etc/<app>/lookups directory. 

0 Karma
Reply
Solved! Jump to solution

aayushisplunk1
Path Finder
‎12-26-2022 05:55 AM

Hi @splunkettes 

Please guide how you created the custom search command similar to outputlookup command. 

 

0 Karma
Reply
Solved! Jump to solution

sftr
Observer
‎04-20-2022 05:52 AM

 

For your use case, this configuration appears to be available from within the limits.conf file:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Boutputlookup.5D

 

[outputlookup]
create_context = user

 

per the documentation:

[outputlookup]
create_context = [app|[user|system]
* Specifies the context where the lookup file will be created for the first time.
  If there is a current application context and the following options,
  file will be created under:
  * app    : etc/apps/<app>/lookups
  * user   : etc/users/<user>/<app>/lookups
  Otherwise, file will be created under:
  * system : etc/system/local/lookups
* Default: app

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2020 04:47 PM

There's no way to override a built-in command.  Your users will have to learn to use myoutputlookup just as they once learned to use outputlookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...