Re: Linux file permissions for regularly overwritt...

broccliman · ‎09-29-2020

I'm trying to better understand the relationship of a defined lookup in Splunk (8.0.1) and its file permissions when running on Linux.

We have an app containing the following:

A file-lookup definition, call it foo
A lookup csv file, named foo.csv
A scheduled saved search to modify the contents of foo lookup on some interval

From observation, if the foo.csv file is given explicit permissions, say chmod 644, those permissions are preserved when appending to the csv file (| outputlookup append=true foo); however, the permissions are lost (reset to 600) when overwriting the csv file (| outputlookup append=false foo).

Is there a way to preserve a lookup csv file's permissions in Linux when overwriting its contents through Splunk?

richgalloway · ‎09-29-2020

This would have to be done outside of Splunk. Consider either setting the umask for the Splunk account or using setfacl to control access to the CSV.

---
If this reply helps you, Karma would be appreciated.

broccliman · ‎09-29-2020

For context, we have a user (and group) named splunk which runs our Splunk instance. The umask for this account is 0002 (u=rwx,g=rwx,o=rx). Observing default file permissions as the splunk user:

[splunk@___ ~]$ touch foo && ls foo -l
-rw-rw-r-- 1 splunk splunk 0 Sep 29 17:02 foo

My assumption was there was some Splunk configuration controlling the file permissions of the lookup csv file, but based on your feedback it sounds like that's not the case.

Linux file permissions for regularly overwritten lookup csv file

lookup

permissions

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!