Does Splunk Log if a lookup file is modified?

AndySplunks · ‎10-04-2019

Does Splunk generate logs when a lookup file is modified?

I have some searches that use lookup files. I'd like to monitor when the lookup file is modified.

rbar16 · ‎06-24-2020

@AndySplunks The following search will show you the lookup files within Splunk and the last updated date.

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| table title updated

This search is for when they are actually edited:
index=_internal "Lookup edited successfully" |table _time namespace lookup_file user

jacobpevans · ‎10-04-2019

Greetings @AndySplunks,

If you navigate to the lookup in the Lookup Editor app, is there a "Revert to previous version" button? I don't know exactly how it works (i.e. what triggers a backup), but Splunk does, in some cases, save backups in a subfolder of the lookup directory on the file system. I'm fairly confident that there is always a backup saved when lookups are modified via the "import" feature. Outside of that, I'm not sure.

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Does Splunk Log if a lookup file is modified?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!