Splunk Search

Does Splunk Log if a lookup file is modified?

AndySplunks
Communicator

Does Splunk generate logs when a lookup file is modified?

I have some searches that use lookup files. I'd like to monitor when the lookup file is modified.

Tags (1)
0 Karma

rbar16
Explorer

@AndySplunks  The following search will show you the lookup files within Splunk and the last updated date.

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| table title updated

This search is for when they are actually edited:
index=_internal "Lookup edited successfully" |table _time namespace lookup_file user

jacobpevans
Motivator

Greetings @AndySplunks,

If you navigate to the lookup in the Lookup Editor app, is there a "Revert to previous version" button? I don't know exactly how it works (i.e. what triggers a backup), but Splunk does, in some cases, save backups in a subfolder of the lookup directory on the file system. I'm fairly confident that there is always a backup saved when lookups are modified via the "import" feature. Outside of that, I'm not sure.

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...