I'm trying to better understand the relationship of a defined lookup in Splunk (8.0.1) and its file permissions when running on Linux.
We have an app containing the following:
A file-lookup definition, call it foo
A lookup csv file, named foo.csv
A scheduled saved search to modify the contents of foo lookup on some interval
From observation, if the foo.csv file is given explicit permissions, say chmod 644, those permissions are preserved when appending to the csv file (| outputlookup append=true foo); however, the permissions are lost (reset to 600) when overwriting the csv file (| outputlookup append=false foo).
Is there a way to preserve a lookup csv file's permissions in Linux when overwriting its contents through Splunk?