Hi All,
I am trying to view a lookup file that has the sharing set on this app only from another app than it is defined.
Is there anyway to achieve this without changing the permission in the GUI?
This is the SPL i'm running but it skips the lookup files that aren't being shared.
Maybe temporary set the sharing to global and set it back or something
| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| fields title eai:acl.owner eai:acl.app
| where !match(title,"\.mlmodel")
| rename eai:acl.* as *
| map [ | inputlookup $title$
| foreach * [ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ]
| addtotals b_* fieldname=b | stats sum(eval(b/1024/1024)) as mb
| eval name="$title$", owner="$owner$", app="$app$" ] maxsearches=1000
I think your question is whether SPL can alter scope of settings. It cannot. Out of curiosity, what is the use case here? Why is it so important that you do not change permission?
I wanted to get a list of the sizes of all lookup files to see which ones are very large. Some of the lookup files are set to app only and the SPL doesn't work.
It would be really easy to do that on the command line. If you don't have command line access, another method could be to use the REST API directly: data/lookup-table-files.