Splunk Search

Why did the lookup file not move despite changing its read perms?


I changed the permissions on a lookup file from the UI via Manage Apps - > Search and Reporting -> View Objects -> Read access to everyone on the lookup object. However, on my search head the lookup file is still under $SPLUNK_HOME/etc/users//search/lookups and not under $SPLUNK_HOME/etc/apps/search/lookups/. The read access has been given on app level but at the backend, the file still remains in the user directory. rendering it inaccessible. Is this a bug with Splunk?

0 Karma

Super Champion

I have noticed this as well, actually! I am not sure why it does that, exactly, but my best suggestion would be to submit a ticket to Splunk. That's what I did 🙂 Maybe it'll be fixed in a new release.

0 Karma