Hi,
I am using the Lookup File Editor App for modifying Lookup Files using Splunk Web. I noticed that the App provides the ability to view/load the previous 20 versions of the lookup, along with the date they were modified (the 'Revisions' dropdown). However, is there any way we can get an Audit of all the modifications on the Lookup File, along with the User who modified the lookup, what were the modifications made etc? We want to maintain an Audit of all the Lookup modifications.
The lookup editor keeps a log that is indexed into the _internal index. You can view the logs with a search like this:
index=_internal "Lookup edited successfully" | table _time user namespace lookup_file
The lookup editor keeps a log that is indexed into the _internal index. You can view the logs with a search like this:
index=_internal "Lookup edited successfully" | table _time user namespace lookup_file
Hi Luke,
I was trying to explore for options of comparing and identifying the lookup changes using a Splunk search query. However I have had no luck so far. Do you think there would be a way to compare the 2 versions in a splunk search query and capture the modified information or do we need to rely on external tools to do the comparison ? Our requirement is to show the changes within a splunk dashboard itself detailing the time, user and the change.
Regards
Swati
That's great Luke, thanks a lot! This was a huge help 🙂 Is there any way we could actually see what was changed, like New Value-Old Value pair, or a comparison of current and penultimate version etc?
The only way I can think of determining the details would be to compare the lookup file contents by comparing the backup versions. A log entry is created noting that a backup was created so you could correlate the backup file version to the change (search for "A backup of the lookup file was created").
Thanks Luke!