Knowledge Management

Linux file permissions for regularly overwritten lookup csv file

broccliman
Explorer

I'm trying to better understand the relationship of a defined lookup in Splunk (8.0.1) and its file permissions when running on Linux.

We have an app containing the following:

  • A file-lookup definition, call it foo
  • A lookup csv file, named foo.csv
  • A scheduled saved search to modify the contents of foo lookup on some interval

From observation, if the foo.csv file is given explicit permissions, say chmod 644, those permissions are preserved when appending to the csv file (| outputlookup append=true foo); however, the permissions are lost (reset to 600) when overwriting the csv file (| outputlookup append=false foo).

Is there a way to preserve a lookup csv file's permissions in Linux when overwriting its contents through Splunk?

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This would have to be done outside of Splunk.  Consider either setting the umask for the Splunk account or using setfacl to control access to the CSV.

---
If this reply helps you, Karma would be appreciated.

broccliman
Explorer

For context, we have a user (and group) named splunk which runs our Splunk instance. The umask for this account is 0002 (u=rwx,g=rwx,o=rx). Observing default file permissions as the splunk user:

[splunk@___ ~]$ touch foo && ls foo -l
-rw-rw-r-- 1 splunk splunk 0 Sep 29 17:02 foo

My assumption was there was some Splunk configuration controlling the file permissions of the lookup csv file, but based on your feedback it sounds like that's not the case.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...