Splunk Search

Splunk Lookups Return Error Even When Permissions Are Global

aelliott
Motivator

I created a lookup and it was created under a specific app and I pointed it to a particular sourcetype.

When setting the permissions to allow all apps to access the lookup, why then can the other apps not see this lookup (other apps are using the same sourcetype).

I had to recreate each of my lookups 3 times in order to not get the error that the lookup could not be found.

Are permissions broken for lookups?

Tags (3)

lguinn2
Legend

Did you set the permissions to global for all three components of the lookup?

  1. the lookup file
  2. the lookup definition
  3. the automatic lookup definition

If any one of these is not global, then the lookup will not work globally.

0 Karma

aelliott
Motivator

Would the fact that the data it is tied to(index) is on a master instance have any affect?

0 Karma

aelliott
Motivator

All set to App .. more specifically: This app only (system)

0 Karma

lguinn2
Legend

No, the lookup file can be in the app directory. The metadata is set to export the file globally.

Next question - what are the permissions on the app itself?

0 Karma

aelliott
Motivator

The lookup file remained in the specific app lookup folder even after changing it to global. Could this be the issue?

0 Karma

linu1988
Champion

Where was the lookup file present? In global location i.e. system\lookup or the specific app lookup folder?

0 Karma

aelliott
Motivator

They were all set global, I have tried this on multiple splunk instances.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...