Splunk Enterprise Security

In the Lookup File Editor App, can you help me with the lookup permissions?

Path Finder


When having lookups contained within an app, is it possible to set user permissions at the 'app' level as opposed to editing the .meta file contained within the app for each individual lookup?

We have two groups of end users. I would like to create an app for each, so that lookups used by each group are stored within the relevant app.

Then, rather than have to edit the default.meta every time a new lookup is added to provide that group write access, I'd like to set the permissions against that app, so that the permissions are inherited down to the lookups contained within.

Any ideas?

0 Karma


Splunk's management interface allows you to edit lookup table permissions in the UI.

  1. Click "Lookups" from the "Settings" menu at the top right of Splunk
  2. Select "Lookup table files"
  3. Click "Permissions" next to the lookup you want to edit.

Additionally, the Lookup File Editor app includes a link to adjust permissions in the lookup list (see the link for "Edit Permissions"):

alt text

0 Karma


You can change permissions on the SPlunk UI, Settings->Lookups->Lookup table files. You have Sharing column under which you can change permissions . Is that what you are looking for?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!