I'm trying to better understand the relationship of a defined lookup in Splunk (8.0.1) and its file permissions when running on Linux.
We have an app containing the following:
From observation, if the foo.csv file is given explicit permissions, say chmod 644, those permissions are preserved when appending to the csv file (| outputlookup append=true foo); however, the permissions are lost (reset to 600) when overwriting the csv file (| outputlookup append=false foo).
Is there a way to preserve a lookup csv file's permissions in Linux when overwriting its contents through Splunk?
This would have to be done outside of Splunk. Consider either setting the umask for the Splunk account or using setfacl to control access to the CSV.
For context, we have a user (and group) named splunk which runs our Splunk instance. The umask for this account is 0002 (u=rwx,g=rwx,o=rx). Observing default file permissions as the splunk user:
[splunk@___ ~]$ touch foo && ls foo -l
-rw-rw-r-- 1 splunk splunk 0 Sep 29 17:02 foo
My assumption was there was some Splunk configuration controlling the file permissions of the lookup csv file, but based on your feedback it sounds like that's not the case.