SITUATION

• I'd like to track the changes done to lookup tables.
• I observe this helpful post: "https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-the-Audit-for-Lookup-files-modificat..."
• I observe the below sourcetypes having "Lookup edited successfully"
  • lookup_editor_rest_handler
  • lookup_editor_controller
• I observe both having "Lookup edited successfully"
• I observe both having unique event counts for the same time window
• I observe "lookup_editor_controller" having the "action" field while lookup_editor_rest_handler" does not

PROBLEM

• I don't know which sourcetype I should use.

QUESTION

• Which sourcetype should I use?