Splunk Search

How to outputlookup csv with permission?

LearningGuy
Builder

Hello,
How to outputlookup csv with permission?  
***Note that I am not Splunk admin - I only have access to Splunk GUI***  
Please help. Thank you so much

For example: 
| outputlookup test.csv

It will create test.csv in the following directory with no owner and sharing:Global 
I am able to delete it, but I could not modify the permission.
How to outputlookup csv and set to sharing:App and I am the owner?

/opt/splunk/etc/apps/testapp/lookups/test.csv   
Owner: No owner    App: testapp   Sharing: Global    Status Enabled

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

When you said you did this

I added a new lookup by uploading the CSV file by going to Lookups » Lookup table files » Add new
the CSV file was uploaded to this this directory and I can change the permission

When you upload the CSV the list of lookups will show your lookup as private 

bowesmana_0-1694736897019.png

you can then change the permissions to app, which MOVES the file system location of that file to the location inside the app.

bowesmana_1-1694737027521.png

 

Then when you run outputlookup, you will be updating the one in the app folder, which you have previously set to app permission.

 

 

 

View solution in original post

LearningGuy
Builder

Hello,
I added a new lookup by uploading the CSV file by going to Lookups » Lookup table files » Add new
the CSV file was uploaded to this this directory and I can change the permission
/opt/splunk/etc/users/[myuserID]/testapp/lookups/test.csv

When I used outputlookup, it wrote the same test.csv file into a different directory below and I cannot change the permission.
/opt/splunk/etc/apps/testapp/lookups/test.csv   

Please suggest. Thank you

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This location means the lookup is private

/opt/splunk/etc/users/[myuserID]/testapp/lookups/test.csv

which is the default state when you upload a lookup. You should change the permission to app before you do the outputlookup.

 

LearningGuy
Builder

Hello,

You said "You should change the permission to app before you do the outputlookup"
Do you mean to change the permission to the app, not the CSV file?
If so, can you please give me an example?   Note that I am not the admin
Thank you

Before outputlookup - no CSV file
After outputlookup - CSV file exists - but I cannot change the permission (it's greyed out)
/opt/splunk/etc/users/[myuserID]/testapp/lookups/test.csv

0 Karma

bowesmana
SplunkTrust
SplunkTrust

When you said you did this

I added a new lookup by uploading the CSV file by going to Lookups » Lookup table files » Add new
the CSV file was uploaded to this this directory and I can change the permission

When you upload the CSV the list of lookups will show your lookup as private 

bowesmana_0-1694736897019.png

you can then change the permissions to app, which MOVES the file system location of that file to the location inside the app.

bowesmana_1-1694737027521.png

 

Then when you run outputlookup, you will be updating the one in the app folder, which you have previously set to app permission.

 

 

 

LearningGuy
Builder

Your suggestion worked!!
Thank you so much for your help

0 Karma

bowesmana
SplunkTrust
SplunkTrust

If this is a known consistent csv you are going to create, then create a new lookup of that name and upload a dummy csv. You can then define the permissions on the csv and outputlookup will then not change those permissions.

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...