How to modify lookup ACL via custom REST in Python...

GindiKhangura · ‎05-14-2021

(Although this example will use Splunk's Lookup Editor app, it applies to custom REST commands in general.)

I am using the Lookup Editor provided by Splunk from SplunkBase (authored by @LukeMurphey) and am saving the lookups with the user in context, which saves it as a private user-scoped artifact.

I would like to make it globally shared while retaining the lookup's ownership information, so I attempt the following after the rest call that saves the lookup:

# Set ACL to make lookup globally shared
url = '/servicesNS/%s/%s/data/lookup-table-files/%s/acl' % (owner, namespace, lookup_file)
postargs = {
    'owner': owner, 
    'sharing': 'global'
}

rest.simpleRequest(url, postargs=postargs, sessionKey=key, raiseAllErrors=True)

When using the lookup editor as an admin, it will work fine as the admin has the capabilities to make such modifications; however, users are not able to do so and the call fails.

How can I programmatically make this REST call as an admin? I am hoping that as the script is on the server-side, I won't have to authenticate as an admin as I imagine that would require having to store credentials, which would be tricky as we have several clusters.

I have also tried making the REST call using the Splunk binary as mentioned in this Answer, but it had no effect.

How to modify lookup ACL via custom REST in Python?

Python

rest API

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation