Splunk Enterprise Security

In the Lookup File Editor App, can you help me with the lookup permissions?

Path Finder


When having lookups contained within an app, is it possible to set user permissions at the 'app' level as opposed to editing the .meta file contained within the app for each individual lookup?

We have two groups of end users. I would like to create an app for each, so that lookups used by each group are stored within the relevant app.

Then, rather than have to edit the default.meta every time a new lookup is added to provide that group write access, I'd like to set the permissions against that app, so that the permissions are inherited down to the lookups contained within.

Any ideas?

0 Karma


Splunk's management interface allows you to edit lookup table permissions in the UI.

  1. Click "Lookups" from the "Settings" menu at the top right of Splunk
  2. Select "Lookup table files"
  3. Click "Permissions" next to the lookup you want to edit.

Additionally, the Lookup File Editor app includes a link to adjust permissions in the lookup list (see the link for "Edit Permissions"):

alt text

0 Karma


You can change permissions on the SPlunk UI, Settings->Lookups->Lookup table files. You have Sharing column under which you can change permissions . Is that what you are looking for?

0 Karma
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...