Splunk Search

Does Splunk Log if a lookup file is modified?

Path Finder

Does Splunk generate logs when a lookup file is modified?

I have some searches that use lookup files. I'd like to monitor when the lookup file is modified.

Tags (1)
0 Karma

Explorer

@AndySplunks  The following search will show you the lookup files within Splunk and the last updated date.

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| table title updated

This search is for when they are actually edited:
index=_internal "Lookup edited successfully" |table _time namespace lookup_file user

Motivator

Greetings @AndySplunks,

If you navigate to the lookup in the Lookup Editor app, is there a "Revert to previous version" button? I don't know exactly how it works (i.e. what triggers a backup), but Splunk does, in some cases, save backups in a subfolder of the lookup directory on the file system. I'm fairly confident that there is always a backup saved when lookups are modified via the "import" feature. Outside of that, I'm not sure.

Cheers,
Jacob

Cheers,
Jacob
0 Karma