0

As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table. I have created Lookup table by:

curl -k -u username:pwd https://localhost:8089/servicesNS/nobody/*appname*/data/lookup-table-files -d 'eai:data=/opt/splunk/var/run/splunk/lookup_tmp/april.csv' -d 'name=12_april_lookup.csv'

This created 12_april_lookup.csv file inside .../my_app/lookup/ folder. This Lookup table permission is private at this point.

But, When I add some data to Lookup table by below search command:

| makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True

then file will get created in other app folder with become global permission. Now all user can view file content by

|inputlookup 12_april_lookup.csv
Shea Hunter Belsky
  • 2,815
  • 3
  • 22
  • 31
Sumangala Amati
  • 1
  • 3

1 Answers1

0

Need to run below command with same app search section: As this command was running on global app level, so file was created at global level with global permission. In splunk every app has search section. Based on which app search section file will be created in that app lookup folder. Make sure every search we do in splunk, You are in correct app section. | makeresults | eval name="xyz" | eval token="12345"| outputlookup 12_april_lookup.csv append=True createinapp=True

Sumangala Amati
  • 1
  • 3