Lookup files permissions- Is there a way to view l...

Sanz · ‎08-17-2022

Hi All,

I am trying to view a lookup file that has the sharing set on this app only from another app than it is defined.

Is there anyway to achieve this without changing the permission in the GUI?
This is the SPL i'm running but it skips the lookup files that aren't being shared.

Maybe temporary set the sharing to global and set it back or something

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| fields title eai:acl.owner eai:acl.app
| where !match(title,"\.mlmodel")
| rename eai:acl.* as *
| map [ | inputlookup $title$
| foreach * [ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ]
| addtotals b_* fieldname=b | stats sum(eval(b/1024/1024)) as mb
| eval name="$title$", owner="$owner$", app="$app$" ] maxsearches=1000

yuanliu · ‎08-17-2022

I think your question is whether SPL can alter scope of settings. It cannot. Out of curiosity, what is the use case here? Why is it so important that you do not change permission?

Sanz · ‎08-22-2022

I wanted to get a list of the sizes of all lookup files to see which ones are very large. Some of the lookup files are set to app only and the SPL doesn't work.

yuanliu · ‎08-22-2022

It would be really easy to do that on the command line. If you don't have command line access, another method could be to use the REST API directly: data/lookup-table-files.

Lookup files permissions- Is there a way to view lookup file without changing permission in GUI?

lookup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!