Solved: Will changing a lookup file persist on app update?

aelliott · ‎07-24-2014

We have a need to change an out of the box lookup file within Splunk_TA_Windows, this lookup file (windows_signatures.csv) has a column called "action" that is only filled out on Windows 2003 events. Actions such as created, modified, deleted, etc.

These actions are needed to be set in order to show up within the Network Changes dashboard in Splunk Enterprise Security.

If we were to ever update this app in the future to a later version, will it overwrite our lookup file changes?

strive · ‎07-24-2014

Yes, upgrading app overrides the changes.

I did a quick test. Downloaded and installed version 4.6.6. Made some changes to the CSV file that you mentioned. Downloaded the version 4.6.7 and upgraded the app. The changes made by me were overwritten.

View solution in original post

strive · ‎07-24-2014

Yes, upgrading app overrides the changes.

I did a quick test. Downloaded and installed version 4.6.6. Made some changes to the CSV file that you mentioned. Downloaded the version 4.6.7 and upgraded the app. The changes made by me were overwritten.

strive · ‎07-24-2014

I suppose this will be the case with all the app upgrades.

Will changing a lookup file persist on app update?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk