Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup files permissions- Is there a way to view lookup file without changing permission in GUI?

Sanz
Explorer
‎08-17-2022 12:50 AM

Hi All,

I am trying to view a lookup file that has the sharing set on this app only from another app than it is defined.

Is there anyway to achieve this without changing the permission in the GUI?
This is the SPL i'm running but it skips the lookup files that aren't being shared.

Maybe temporary set the sharing to global and set it back or something 

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| fields title eai:acl.owner eai:acl.app
| where !match(title,"\.mlmodel")
| rename eai:acl.* as *
| map [ | inputlookup $title$
| foreach * [ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ]
| addtotals b_* fieldname=b | stats sum(eval(b/1024/1024)) as mb
| eval name="$title$", owner="$owner$", app="$app$" ] maxsearches=1000
Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-17-2022 09:53 PM

I think your question is whether SPL can alter scope of settings.  It cannot.  Out of curiosity, what is the use case here?  Why is it so important that you do not change permission?

0 Karma
Reply

Sanz
Explorer
‎08-22-2022 12:42 AM

I wanted to get a list of the sizes of all lookup files to see which ones are very large. Some of the lookup files are set to app only and the SPL doesn't work. 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-22-2022 10:54 PM

It would be really easy to do that on the command line.  If you don't have command line access, another method could be to use the REST API directly: data/lookup-table-files.  

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...