Splunk Search

Does Splunk Log if a lookup file is modified?


Does Splunk generate logs when a lookup file is modified?

I have some searches that use lookup files. I'd like to monitor when the lookup file is modified.

Tags (1)
0 Karma


@AndySplunks  The following search will show you the lookup files within Splunk and the last updated date.

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| table title updated

This search is for when they are actually edited:
index=_internal "Lookup edited successfully" |table _time namespace lookup_file user


Greetings @AndySplunks,

If you navigate to the lookup in the Lookup Editor app, is there a "Revert to previous version" button? I don't know exactly how it works (i.e. what triggers a backup), but Splunk does, in some cases, save backups in a subfolder of the lookup directory on the file system. I'm fairly confident that there is always a backup saved when lookups are modified via the "import" feature. Outside of that, I'm not sure.



If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>