All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a log of modifications of each lookup table for auditing of lookup table changes?

hammonaj
New Member
‎10-03-2017 09:07 AM

We have several lookup tables that are updated frequently. Is there a log recording who makes a modification to each lookup table?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2017 12:58 PM

How do you update your lookup files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hammonaj
New Member
‎10-04-2017 10:35 AM

Through "The Lookup Updater" in Sideview Utils.

0 Karma
Reply

hammonaj
New Member
‎10-03-2017 10:54 AM

I have found a slight workaround. When "Delete" is clicked in "The Lookup Updater" a webcall is made that performs a search. The search looks like this:

search:| inputlookup test.csv| eval zomgItsOurRow=if(GroupName=="Test_Group","1","0")| streamstats count(eval(zomgItsOurRow==1)) as zomgHaveWeMatchedYet| eval zomgItsOurRow=if(zomgHaveWeMatchedYet<2,zomgItsOurRow,0)| fields - zomgHaveWeMatchedYet| search NOT zomgItsOurRow=1 | fields - zomgItsOurRow | outputlookup test.csv

I then simply looked at index=_audit for this search being performed. It includes the user, time, and entry that they removed.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...