How to access a lookup created in one app in anoth...

mscomms · ‎03-02-2022

Hi All,

Splunk Enterprise 8.2.4 Clustered

I have an issue where I have an existing app with a lookup listing all devices we are monitoring and I have a new app where I pull a subset of these devices to provide a dashboard for the team that supports them.

The underlying search

"| inputlookup NocIP.csv
| search Datasource="Eaton" OR Datasource="eltek"

Works fine within the original app and works fine from the new app using my "General user" which has admin rights but using a user set up for the support team using the new app the search fails with the following result

the lookup table file has the following permissions set

The lookup definition permissions are set like this

The role for the support team is cloned from the role that uses the original app

Inheritance

Cababilities

This app doesn't use any indexes and there are no Restrictions in place
The resources are

The user is

with the Config

This is doing my head in because it looks like it should work but isn't, can anyone see what I have missed?

Cheers

Mike

mscomms · ‎03-02-2022

@gcusello I have set the permission to

Its still not workin

mscomms · ‎03-02-2022

@gcusello here is the definition

mscomms · ‎03-02-2022

gcusello · ‎03-02-2022

Hi @mscomms,

I don't see anything wrong!

could you try to run the search without where conditions?

| inputlookup NoxIP.csv

I found something similar in another question https://community.splunk.com/t5/Splunk-Search/Error-subsearch-The-lookup-table-dns-serves-csv-requir...

Ciao.

Giuseppe

mscomms · ‎03-02-2022

I have checked that article but I definatly haven't got a typo as this search copied and pasted ito a search window in the new app using my admin user works fine

mscomms · ‎03-02-2022

I have already tried that but have retested and it is still failing

gcusello · ‎03-02-2022

Hi @mscomms.,

could you share the screenshot of the lookup definition?

Ciao.

Giuseppe

mscomms · ‎03-02-2022

All groups have read access, the admin and power grants are for write access

gcusello · ‎03-02-2022

Hi @mscomms,

there isn't any additional check I can think, please try to give read grants to User on those lookup and lookup definition.

Ciao.

Giuseppe

mscomms · ‎03-02-2022

@gcusello The read permissions are set for all roles on the system so both

gcusello · ‎03-02-2022

Hiu @mscomms,

yes, I've seen, probably it isn't relevant, but, please, try to do this.

Give wrtite grants to User on lookup and lookup definition.

Ciao.

Giuseppe

gcusello · ‎03-02-2022

Hi @mscomms,

did you tried to give to your lookup and lookup definition grants for your role or for the "user" role?

You gave only grants fro admin and power user roles and you haven't non of them.

Ciao.

Giuseppe

How to access a lookup created in one app in another?

lookup

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases