Splunk Enterprise

assign lookup to other owner

sarit_s
Communicator

Hello,

Today my lookup files are owned by "nobody", in order to change their permissions i have to assign then to other user such as admin (all the lookups located under system and not under specific app)

since we are working with Kubernetece, we are duplicating our environments and all the changes has to be on the configuration files and not via the web  

where this file is located ?

 

thanks

sarit

Labels (2)
0 Karma

inventsekar
Super Champion

from /opt/splunk/etc ($SPLUNK_HOME/etc), you can simply run find command with the filename.csv

linux find command for your reference:

find /opt/splunk/etc -name testlookup.csv -print -exec ls -l {} \;

0 Karma

sarit_s
Communicator

Sorry maybe I didn’t explain my self very well

it is lookup definition. It can be a kvstore or csv file

im looking for a conf file that owned all the configuration and i can change it there

since im using kubernetece i have to make the changes in conf file and deploy it

0 Karma

inventsekar
Super Champion

Hi @sarit_s ..

This page will be helpful to you:
https://docs.splunk.com/Documentation/Splunk/8.0.6/Knowledge/ConfigureCSVlookups

 

Please note, Lookup tables are created and modified on a search head

0 Karma

sarit_s
Communicator

sorry but this is not what im looking for.. 

 

i know how to do it by using the gui.. since im working with Kubernetece and every change in the system has to be deployed as system version, i need to make the changes in the conf files themselves.

i know that every gui configuration in splunk has conf file behind it so im looking for this file 🙂

0 Karma

soutamo
SplunkTrust
SplunkTrust
As those are owned by nobody that is usually defined in local.meta or default.meta on same directory hierarchy where those lookups are. In you cases those should be under .../etc/system/lookups and metadata is .../etc/system/metadata. Just add/change needed information on those *.meta files to change the ownership to admin. You can see examples e.g. from .../etc/apps/search/... where those geo* lookups have defined.

Anyhow it's much better to create own app for these and manage those permissions etc under it.

r. Ismo
0 Karma

sarit_s
Communicator

well.. i'm looking at the local.meta and all i see are stanzas like this:

 

[server/general]
version = 7.2.6
modtime =

 nothing with ownership or something similar... 

0 Karma

soutamo
SplunkTrust
SplunkTrust
You should add owner = <user> there.
0 Karma

inventsekar
Super Champion

Hi @sarit_s .. Please let us know, by Kubernetece, are you creating which Splunk instance(search head/indexer/UF, etc). if you update us more clear information, it will be helpful. thanks. 

 

karma points are appreciated, if the issue resolved, please accept the reply as solution. thanks. 

0 Karma

sarit_s
Communicator

all splunk environment created with Kubernetece 
most of the configuration changes are in the search head but i think it doesnt matter which kind of server it is i just need to know which file to update

0 Karma

inventsekar
Super Champion

Hi @sarit_s 

You can find all lookup files at
Splunk GUI, -->Settings--->Lookups--->Lookup table files 

 

EDIT - this above step will list all the lookup files, you can change their permissions, move them to new app, etc. 

the apps/addons like CIM will have lot of lookup files which are "no owner" and they will work just fine, there will be no issue. 

to change the ownership of a lookup file, i think you need to update the metadata files.. pls check these:

https://community.splunk.com/t5/Splunk-Search/How-to-do-you-change-ownership-of-a-lookup-file/m-p/38...

https://community.splunk.com/t5/Security/Change-App-and-Object-Ownership/td-p/34667

https://community.splunk.com/t5/Splunk-Search/change-how-outputlookup-assigns-permissions-and-owners...

https://community.splunk.com/t5/Splunk-Search/Can-we-create-lookup-table-for-specific-owner/m-p/3357...

 

0 Karma

sarit_s
Communicator

From the GUI i know

but im talking about lookup definition and im wondering if there is a configuration file

0 Karma

inventsekar
Super Champion

As per Richgalloway's answer from the above links:

You'll have to move the files manually from $SPLUNK_HOME/etc/users/<olduser>/<app>/lookups/* to $SPLUNK_HOME/etc/users/<newuser>/lookups.

 

the metadata file path:

$SPLUNK_HOME/etc/apps/{AppsDir}/metadata/local.meta 

 

if an answer helped you, you can add a karma point.. if an answer solved your issue, pls accept it as Solution, so that the question will be moved from unanswered to solved. 

0 Karma

sarit_s
Communicator

Since the files are owned by nobody, i cant see them under user folder

 

all this information located on some conf file ?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.