Splunk external lookup data viewable only in Searc...

SplunkExplorer · ‎03-05-2024

Hi Splunkers, for our customer we need to populate an external lookup. We are on a Splunk SaaS env.
A colleague has developed a simple app to achieve this purpose. After some test, the lookup seems to be populated fine.
Our current problem is: if we use this lookup in a search executed from Search and Reporting app, it return expected results. No issue, no missing data. But, if we try from another app able to execute a search (I mean, with search function available), on the same data set and time range, output is empty. We suspect it's related to a permission problem (may be the app has no permission to write on underlying file system, due we are in a cloud env?), but we are not sure. Moreover, even if we are right how could be fix the issue?

tej57 · ‎04-29-2024

Hey @SplunkExplorer ,

As you mentioned, it indeed is a permission issue. The lookup might be created within the search app context and the permission might not be shared to access the lookup within different app context. You can update the permission of the KO to be shared globally and it should resolve your concern.

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

Splunk external lookup data viewable only in Search and Reporting

administration

configuration

Splunk Investigate

using Splunk Cloud

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?