Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we create lookup table for specific owner?

sumangala
Path Finder
‎04-20-2017 06:14 AM

Hi,

Is there any way that we can create lookup table for specific user? As I checked outputlookup command and it doesn't provide any option provide owner name. Can anyone help me here. As I searched lots of documentation regarding this, but couldn't find it.
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎04-21-2017 01:17 AM

If you are asking to be able to output a lookup and have it owned by someone other than the user you are logged in as I do not think that is possible.
You can share your lookup if you have appropriate permissions within the application or at the global level.

You can also change the owner/sharing level of a lookup via the REST API, the endpoints of interest are:

/servicesNS/-/-/data/lookup-table-files
/servicesNS/-/-/data/transforms/lookups
/servicesNS/-/-/data/props/lookups

Where the above REST endpoints list the the lookup files, the lookup definitions and automatic lookups in that order

If you wanted to list them then you would access:
https://localhost:8089/servicesNS/-/-/data/lookup-table-files?count=-1
https://localhost:8089/servicesNS/-/-/data/props/lookups?count=-1
https://localhost:8089/servicesNS/-/-/data/transforms/lookups?count=-1

Or similar.

To re-own the item you can use python, curl or your preferred program, the Splunk binary can also do this:

$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/<theNewOwner>/<appContext>/data/lookup-table-files/lookupfilename.csv/acl" -post:owner <newOwner> -post:sharing user

Where sharing can be user (where user is private), app, or global (the system / shared permission in all applications).

There are curl examples here:
Examples using the Splunk REST API in particular refer to this section that I've quoted from the document:

Share an object to an app, modify its
permissions, and edit it Make Alice's
saved search, mysearch, available
through the app, myapp. Allow all
users permissions to read the saved
search.

curl -k -u admin:pass https://localhost:8089/servicesNS/alice/myapp/saved/searches/mysearch/acl  \
        -d perms.read=* \
        -d owner=alice \
        -d sharing=app
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎04-21-2017 01:17 AM

If you are asking to be able to output a lookup and have it owned by someone other than the user you are logged in as I do not think that is possible.
You can share your lookup if you have appropriate permissions within the application or at the global level.

You can also change the owner/sharing level of a lookup via the REST API, the endpoints of interest are:

/servicesNS/-/-/data/lookup-table-files
/servicesNS/-/-/data/transforms/lookups
/servicesNS/-/-/data/props/lookups

Where the above REST endpoints list the the lookup files, the lookup definitions and automatic lookups in that order

If you wanted to list them then you would access:
https://localhost:8089/servicesNS/-/-/data/lookup-table-files?count=-1
https://localhost:8089/servicesNS/-/-/data/props/lookups?count=-1
https://localhost:8089/servicesNS/-/-/data/transforms/lookups?count=-1

Or similar.

To re-own the item you can use python, curl or your preferred program, the Splunk binary can also do this:

$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/<theNewOwner>/<appContext>/data/lookup-table-files/lookupfilename.csv/acl" -post:owner <newOwner> -post:sharing user

Where sharing can be user (where user is private), app, or global (the system / shared permission in all applications).

There are curl examples here:
Examples using the Splunk REST API in particular refer to this section that I've quoted from the document:

Share an object to an app, modify its
permissions, and edit it Make Alice's
saved search, mysearch, available
through the app, myapp. Allow all
users permissions to read the saved
search.

curl -k -u admin:pass https://localhost:8089/servicesNS/alice/myapp/saved/searches/mysearch/acl  \
        -d perms.read=* \
        -d owner=alice \
        -d sharing=app
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

sumangala
Path Finder
‎04-21-2017 02:42 AM

Ya. This above method works fine for re-owner for already existing lookup file. Is there any REST API to create lookup table for specific user (login user itself)
I am using this curl to create specific user lookup file.
curl -k -u usrname:pwd https://localhost:8089/servicesNS/usrname/app_name/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookupfile.csv' -d 'name=lookupfile.csv'
But, problem here is lookup file should be present at lookup stanza area (/opt/splunk/var/run/splunk/lookup_tmp) with javascript can not create file at specified location.

Is there a way to create lookup table for individual users?

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎04-23-2017 06:21 PM

Why not create the lookup in 1 curl call, then another RESTful/curl call to change the owner/sharing to user level?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

sumangala
Path Finder
‎04-23-2017 10:05 PM

``Hi garethatiag,
I did the same thing 1search command to create lookup file at app level by this:
| makeresults | eval name="usrname" | eval token="bvsd4534vff"| outputlookup lookup_21april.csv append=True createinapp=True`

Now,
I want to change its ownership of lookup file by:
Here form_uid is new user name and lookup file is ready present at app level before executing below code.
I tried with both the method by XMLHttpRequest and Jquery Ajax. I am getting 404 error.
Whether this resource isn't there on the web server?

By XMLHttpRequest:

if(window.XMLHttpRequest){
var xmlhttp = new XMLHttpRequest();
}else if(window.ActiveXObject) {
var xmlhttp = new ActiveXObject(Microsoft.XMLHTTP);
}
var record = {
"owner": form_uid,
"sharing": "user"
};
var url = '/servicesNS/'+form_uid+'/app_name/data/lookup-table-files/lookup_'+form_uid+'.csv/acl';
xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xmlhttp.onreadystatechange = function() {//Call a function when the state changes.
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
console.log(xmlhttp.responseText);
}
};
xmlhttp.send(JSON.stringify(record));

By Jquery Ajax:

$.ajax({
type: "POST",
url:'/servicesNS/'+form_uid+'/app_name/data/lookup-table-files/lookup_'+form_uid+'.csv/acl',
dataType: 'text/csv',
data: JSON.stringify(record),
beforeSend: function (xmlhttp) {
xmlhttp.setRequestHeader('Accept-Language', 'en_US');
}
});
Could please help me out to resolve whats the wrong in my above code or why resource is not
available in splunk web server?```

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎04-23-2017 10:57 PM

So your application is called "app_name" where the lookup is located?
Can you see it in a webbrowser via:
https://:8089/servicesNS/'+form_uid+'/app_name/data/lookup-table-files/lookup_'+form_uid+'.csv'
?

Or via a curl get request...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

sumangala
Path Finder
‎04-23-2017 11:11 PM

Hi garethatiag,
Currently lookup file at app level folder as below:
/opt/splunk/etc/apps/splunk_app/lookups/lookup_user_name.csv

Now I want to change to user_name level folder by executing this curl command.
curl -k -u user_name:password https://localhost:8089/servicesNS/user_name/splunk_app/data/lookup-table-files/lookup_user_name.csv/acl -d owner=user_name -d sharing=user
then lookup file location changes to:
/opt/splunk/etc/users/user_name/splunk_app/lookups/lookup_padmin.csv
This work correctly with curl command.

Same thing I want to do with JavaScript api call.
I can't execute this url without body. As body contain owner=user_name -d sharing=user
this is main parameter to move lookup file location.
https://:8089/servicesNS/'+form_uid+'/app_name/data/lookup-table-files/lookup_'+form_uid+'.csv'
I executed this I got 'This site can’t be reached' error.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎04-24-2017 12:35 AM

Sorry I rarely (if ever) use javascript!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

sumangala
Path Finder
‎04-24-2017 12:42 AM

Its Ok... Thank u... 🙂
Can any one help here. Why resource is not available in Splunk web server?

0 Karma
Reply
Solved! Jump to solution

sumangala
Path Finder
‎04-21-2017 03:01 AM

Hi garethatiag,

Thank u for detailed description of answer. It really helped me to change ownership. But, my question is while creating lookup file itself, can I create for per user basis by rest api? This can be done by splunk web interface. `| makeresults | eval name="usrname" | eval token="bvsd4534vff"| outputlookup lookup_21april.csv append=True createinapp=True` This creates a lookup file in app level `$splunk_path/etc/apps/app_name/lookup`.

I want it to create at $splunk_path/etc/users/usr_name/app_name/lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...