Splunk Search

Lookup files permissions- Is there a way to view lookup file without changing permission in GUI?

Sanz
Explorer

Hi All,

I am trying to view a lookup file that has the sharing set on this app only from another app than it is defined.

Is there anyway to achieve this without changing the permission in the GUI?
This is the SPL i'm running but it skips the lookup files that aren't being shared.

Maybe temporary set the sharing to global and set it back or something 

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| fields title eai:acl.owner eai:acl.app
| where !match(title,"\.mlmodel")
| rename eai:acl.* as *
| map [ | inputlookup $title$
| foreach * [ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ]
| addtotals b_* fieldname=b | stats sum(eval(b/1024/1024)) as mb
| eval name="$title$", owner="$owner$", app="$app$" ] maxsearches=1000
Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think your question is whether SPL can alter scope of settings.  It cannot.  Out of curiosity, what is the use case here?  Why is it so important that you do not change permission?

0 Karma

Sanz
Explorer

I wanted to get a list of the sizes of all lookup files to see which ones are very large. Some of the lookup files are set to app only and the SPL doesn't work. 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

It would be really easy to do that on the command line.  If you don't have command line access, another method could be to use the REST API directly: data/lookup-table-files.  

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...