How to do you change ownership of a lookup file?

sheamus69 · ‎09-17-2018

We have several lookup files for users who have left, and we would like to transfer the ownership to a new production user that we have created for the purpose. Any idea how to do this?

For other knowledge objects this can be done in settings > All Configurations > Reassign Knowledge Objects, but lookups do not seem to be included in this list.

Splunk 6.6.5
ES: 4.7.4

richgalloway · ‎09-17-2018

You'll have to move the files manually from $SPLUNK_HOME/etc/users/<olduser>/<app>/lookups/* to $SPLUNK_HOME/etc/users/<newuser>/lookups.

---
If this reply helps you, Karma would be appreciated.

Guardian452 · ‎08-07-2019

In addition to the above, please also look at the following link as the instructions there solved my ownership issue:

https://answers.splunk.com/answers/46339/change-app-and-object-ownership.html

In some cases the file is stored under the app context and moving it won't change the ownership. This happened to me while updating a lookup file for a custom app. There is a metadata folder in the app folder which contains default and local .meta files. I edited the local.meta file, found my owner=[myuseraccount] and changed this to nobody (or whatever user you want). Found the metadata files under $SPLUNK_HOME$/etc/apps/[appname]/metadata.

How to do you change ownership of a lookup file?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases