All Apps and Add-ons

How to get the Audit for Lookup files modification using the Lookup File Editor App?

SwatiApte
Path Finder

Hi,

I am using the Lookup File Editor App for modifying Lookup Files using Splunk Web. I noticed that the App provides the ability to view/load the previous 20 versions of the lookup, along with the date they were modified (the 'Revisions' dropdown). However, is there any way we can get an Audit of all the modifications on the Lookup File, along with the User who modified the lookup, what were the modifications made etc? We want to maintain an Audit of all the Lookup modifications.

1 Solution

LukeMurphey
Champion

The lookup editor keeps a log that is indexed into the _internal index. You can view the logs with a search like this:

index=_internal "Lookup edited successfully" | table _time user namespace lookup_file

View solution in original post

LukeMurphey
Champion

The lookup editor keeps a log that is indexed into the _internal index. You can view the logs with a search like this:

index=_internal "Lookup edited successfully" | table _time user namespace lookup_file

SwatiApte
Path Finder

Hi Luke,

I was trying to explore for options of comparing and identifying the lookup changes using a Splunk search query. However I have had no luck so far. Do you think there would be a way to compare the 2 versions in a splunk search query and capture the modified information or do we need to rely on external tools to do the comparison ? Our requirement is to show the changes within a splunk dashboard itself detailing the time, user and the change.

Regards
Swati

0 Karma

SwatiApte
Path Finder

That's great Luke, thanks a lot! This was a huge help 🙂 Is there any way we could actually see what was changed, like New Value-Old Value pair, or a comparison of current and penultimate version etc?

0 Karma

LukeMurphey
Champion

The only way I can think of determining the details would be to compare the lookup file contents by comparing the backup versions. A log entry is created noting that a backup was created so you could correlate the backup file version to the change (search for "A backup of the lookup file was created").

SwatiApte
Path Finder

Thanks Luke!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...