I have a lookup table that stores employee data to map employee numbers and departments.In the dashboard I will use the following spl, but I don't want the user to query the lookup table or export it separately. Is there any way to solve this problem?
index=idx_foo | rename owner.email as user_mail | join type=left user_mail [inputlookup append=t company_emp_all.csv] | fields project, user_name, user_dept
Two ways I can think of (But not sure how your infrastructure permissions are driven, so not guaranteed to work)
user_nameetc. So you can have a saved-search to generate this lookup (using outputlookup) once every xx minutes from the original
$SPLUNK_HOME/etc/apps/<your_app_name>/metadata/default.metato prevent lookup being exposed. Again, I don't know the user permission/role in your organisation, so not guaranteed to work
at first, your search isn't correct (inputlookup needs pipe) and you don't need to join a search and a lookup because you can use the lookup command that's the same thing, in other words, the correct search is:
index=idx_foo | lookup company_emp_all.csv user_mail AS owner.email OUTPUT lookup_interesting_fields] | fields project, user_name, user_dept
The only way is to block the access to the search dashboard for that user's role.
You can do it disabling the "Open in search" button in each dashboard's panel and disabling access to Search and Reporting dashboard in all apps.