As we know that, lookup table can be created as global, if file is located at '$SPLUNKHOME/etc/system/lookups' and can be created for particular app, if file present at '$SPLUNKHOME/etc/apps/appname/lookups'.
Can we create lookup file for each user, if file present '$SPLUNKHOME/etc/users/username/app_name/lookups' .
How can we do this with outputlookup or is there any way to do this?
If you can't get it done that way, you should be able to use a macro or custom command to set a unique name of the output file for each user by appending the user id.
Here's a link to one method to identify the user.
Ya. creating lookup file for each individual user can be differentiated by appending username. But, I want to create private lookup file individual user. Such that other user shouldn't see content of other users lookup contents. How can create any type of file or DB or anything so that data shouldn't be visible to others?
The lookup table files created in path
$SPLUNK_HOME/etc/users/username/app_name/lookups are private to the
username. The outputlookup command creates lookup with global sharing in either etc/apps or etc/system/local depending upon the parameters passed. What is your use-case to create a lookup only for a user?
We want to create lookup table to store confidential data of each user who logs into splunk like: Username, password and some token specific to each user.
So we thought lets create private lookup table for each user at this location
$SPLUNK_HOME/etc/users/username/app_name/lookups so that other user can not view content of it by
| inputlookup lookup_file_name.csv.
But, currently I saw that this doesn't work. Even after creating lookup table private to user. Any other user can change permission of lookup table in
setting>lookups>Lookup table files permission can be change from private to global. everyone can see the lookup file content.
Is there any way that confidential data can be stored, such a way that no one can access data?
Okay, that's really not aligned with the purpose and architectural assumptions of splunk lookup tables and csvs.
So a more accurate statement of your need is: "What options are available to securely store user-specific information in such a way that it is never exposed?"
Since security in splunk is generally at the role level, that's probably going to require a custom search command... and I don't see right off how to efficiently accomplish it. I'd tend to set the repository up in an external database, probably SQL Server accessed via DBConnect, but that's one of those things where I'd just be using the tools that are most familiar and that I know will be able to do the job. YMMV.
@DalJeanis I am also looking to change permissions of the file generated by outputlookup. At the moment, it gives read access globally. So is there a way by which we can only restrict it to some particular group or even make it private.
@kgup0003 - please do not post "followup" questions on old posts... This post is nearly two years old. Just ask your new question newly, and link to the old related post to show that you have done your homework.
Brief answer: You can define a lookup in an app, accessible at the app level, and restrict access to that app to particular roles. If you need more information on this, please post a new question with full details of your needs and your use case.
I would just add a field to a shared lookup called
user and then use a REST API call to get the username of the user running the search and then pass in this
user value as an input to the lookup.