Is there a way to take a given dashboard or report or both and trace back to all of its dependencies?
It would be great if it was a scripted method, but if there's an interactive way to do this that'd be fine.
Basically, there are some changes planned and we want to take an inventory of a given app's data, indices, reports, dashboards, etc. from two vantage points: a) to simply have a record/backup of these assets; and b) to understand what has been built within an app - for which there have been many hands involved over time building.
Thanks in advance for any help!
There is no complete way of doing this, but it'd be a nice feature to have.
Manually, you'd take a dashboard and list all its scripts, CSS files, permissions, and searches.
Then you'd take a search, and list its indexes (including wildcards, implicit settings by role-based permissions), sourcetypes, fields, lookups, macros, etc. across all apps in its namespace (= private by user + shared in this app + imported from other apps + exported globally by other apps + system).
Getting that right and complete is nigh-on impossible. For example, take a simple search: status=200 | stats count
That loads data from all indexes the current user's roles are set to search by default. Depending on your environment, that alone might be a tough question to answer.
Then, it uses all status
fields from all sourcetypes. Those could be index-time (check on all indexers and cooking heavy forwarders for their definition), auto-key-value, regex EXTRACT-foo or REPORT-foo, calculated, aliased, or autolookup'd - as visible in the current user's namespace, so for example a field alias private to that user could change the results significantly, or not having read permissions for a TA that globally extracts the status field for some sourcetype.
To a degree, the Knowledge Object Explorer can help - enter status=200
into the Explore page and you'll get a tree of aliases, calculated fields, and reverse lookups across the selected namespace. It won't answer all questions though.
https://splunkbase.splunk.com/app/2871/
There is no complete way of doing this, but it'd be a nice feature to have.
Manually, you'd take a dashboard and list all its scripts, CSS files, permissions, and searches.
Then you'd take a search, and list its indexes (including wildcards, implicit settings by role-based permissions), sourcetypes, fields, lookups, macros, etc. across all apps in its namespace (= private by user + shared in this app + imported from other apps + exported globally by other apps + system).
Getting that right and complete is nigh-on impossible. For example, take a simple search: status=200 | stats count
That loads data from all indexes the current user's roles are set to search by default. Depending on your environment, that alone might be a tough question to answer.
Then, it uses all status
fields from all sourcetypes. Those could be index-time (check on all indexers and cooking heavy forwarders for their definition), auto-key-value, regex EXTRACT-foo or REPORT-foo, calculated, aliased, or autolookup'd - as visible in the current user's namespace, so for example a field alias private to that user could change the results significantly, or not having read permissions for a TA that globally extracts the status field for some sourcetype.
To a degree, the Knowledge Object Explorer can help - enter status=200
into the Explore page and you'll get a tree of aliases, calculated fields, and reverse lookups across the selected namespace. It won't answer all questions though.
https://splunkbase.splunk.com/app/2871/
Thanks Martin. Good to know that I didn't just happen to miss a feature that might have existed. I'll check into that Knowledge Object Explorer and see how far I get with that.
To add to @martin_mueller 's answer you can use Splunk REST API to fetch your Dashboard Simple XML code
| rest /servicesNS/<YourUserName>/<YourAppName>/data/ui/views/
| search eai:appName="<YourAppName>" AND author="<YourUserName>" isDashboard=1
| table title label author eai:appName eai:data updated
Then extract out all the required details from eai:data using SPL like spath
and rex
etc:
1) Scripts/CSS and other Static files like images/icons
2) Knowledge Objects used
3) Post Processing
4) Tokens used in dashboard
5) Visualizations used/Configuration options used
6) No of elements/panels/charts etc
7) No of searches running
8) Drilldown and dependency with external URLs/Dashboards/Saved Searches
For each Knowledge Object Identified above either specific REST call can be used or else better use the amazing utility app suggested by @martin_mueller.
Thanks @niketnilay.... I'll poke around with the REST stuff too.... I've only touched that briefly in some of the courses. Maybe it's time for me to actually discover more about them.