Does Splunk generate logs when a lookup file is modified?
I have some searches that use lookup files. I'd like to monitor when the lookup file is modified.
@AndySplunks The following search will show you the lookup files within Splunk and the last updated date.
| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| table title updated
This search is for when they are actually edited:
index=_internal "Lookup edited successfully" |table _time namespace lookup_file user
Greetings @AndySplunks,
If you navigate to the lookup in the Lookup Editor app, is there a "Revert to previous version" button? I don't know exactly how it works (i.e. what triggers a backup), but Splunk does, in some cases, save backups in a subfolder of the lookup
directory on the file system. I'm fairly confident that there is always a backup saved when lookups are modified via the "import" feature. Outside of that, I'm not sure.
Cheers,
Jacob