Hello,
Today my lookup files are owned by "nobody", in order to change their permissions i have to assign then to other user such as admin (all the lookups located under system and not under specific app)
since we are working with Kubernetece, we are duplicating our environments and all the changes has to be on the configuration files and not via the web
where this file is located ?
thanks
sarit
from /opt/splunk/etc ($SPLUNK_HOME/etc), you can simply run find command with the filename.csv
linux find command for your reference:
find /opt/splunk/etc -name testlookup.csv -print -exec ls -l {} \;
Sorry maybe I didn’t explain my self very well
it is lookup definition. It can be a kvstore or csv file
im looking for a conf file that owned all the configuration and i can change it there
since im using kubernetece i have to make the changes in conf file and deploy it
Hi @sarit_s ..
This page will be helpful to you:
https://docs.splunk.com/Documentation/Splunk/8.0.6/Knowledge/ConfigureCSVlookups
Please note, Lookup tables are created and modified on a search head.
sorry but this is not what im looking for..
i know how to do it by using the gui.. since im working with Kubernetece and every change in the system has to be deployed as system version, i need to make the changes in the conf files themselves.
i know that every gui configuration in splunk has conf file behind it so im looking for this file 🙂
well.. i'm looking at the local.meta and all i see are stanzas like this:
[server/general]
version = 7.2.6
modtime =
nothing with ownership or something similar...
Hi @sarit_s .. Please let us know, by Kubernetece, are you creating which Splunk instance(search head/indexer/UF, etc). if you update us more clear information, it will be helpful. thanks.
karma points are appreciated, if the issue resolved, please accept the reply as solution. thanks.
all splunk environment created with Kubernetece
most of the configuration changes are in the search head but i think it doesnt matter which kind of server it is i just need to know which file to update
Hi @sarit_s
You can find all lookup files at
Splunk GUI, -->Settings--->Lookups--->Lookup table files
EDIT - this above step will list all the lookup files, you can change their permissions, move them to new app, etc.
the apps/addons like CIM will have lot of lookup files which are "no owner" and they will work just fine, there will be no issue.
to change the ownership of a lookup file, i think you need to update the metadata files.. pls check these:
https://community.splunk.com/t5/Security/Change-App-and-Object-Ownership/td-p/34667
From the GUI i know
but im talking about lookup definition and im wondering if there is a configuration file
As per Richgalloway's answer from the above links:
You'll have to move the files manually from $SPLUNK_HOME/etc/users/<olduser>/<app>/lookups/* to $SPLUNK_HOME/etc/users/<newuser>/lookups.
the metadata file path:
$SPLUNK_HOME/etc/apps/{AppsDir}/metadata/local.meta
if an answer helped you, you can add a karma point.. if an answer solved your issue, pls accept it as Solution, so that the question will be moved from unanswered to solved.
Since the files are owned by nobody, i cant see them under user folder
all this information located on some conf file ?