Archive

Request: Lookup Search Ability

Path Finder

It would be very convenient to be able to see all of the dashboards in which a lookup is being used - that way if I want to clone/rename a lookup, I know which dashboard panels I need to also change.

0 Karma
1 Solution

Champion

You could go to "manage views" and search for "lookup". That would return all queries where in-line search syntax contains the lookup.

Similarly, you could do the same within the "saved searches & reports" management UI.

View solution in original post

SplunkTrust
SplunkTrust

That's an explicit lookup called from within the search... however, many lookups are used as an automatic lookup configured to be automatically added to a sourcetype. Those aren't easy to find, and usually are the ones you miss when looking for them by hand.

0 Karma

Champion

You could go to "manage views" and search for "lookup". That would return all queries where in-line search syntax contains the lookup.

Similarly, you could do the same within the "saved searches & reports" management UI.

View solution in original post

SplunkTrust
SplunkTrust

Alternatively, you can find saved searches using an explicit lookup, inputlookup, outputlookup command using this:

| rest /servicesNS/user/app/saved/searches | table title eai:acl.app eai:acl.owner search | rex max_match=0 field=search "(?i)\|\s*(input|output)?lookup\s+([^=|]+=[^=|]\s+)*(?<lookup>\w+)" | search lookup=*

The lookups used are extracted into the field lookup... provided I didn't miss odd cases in my QnD regex 🙂

0 Karma

Path Finder

But that's not a lookup. If you have " lookup local=1 lookup_name foo OUTPUT blah", then you could have a regex search to find all lookups which call lookup_name. Also this is just a feature request, not looking for an answer

0 Karma

SplunkTrust
SplunkTrust

I don't think that's a question that can be reasonably answered.

Here's a simple example why I have doubts:
Say you have a lookup defined for sourcetype foo. The lookup search algorithm would obviously flag all searches (and hence dashboards using them) that search for sourcetype="foo".
However, what if you have a search for index=bar with no sourcetype specified? The index may or may not contain the foo sourcetype, and this may change over time with new events arriving and old events getting removed. As a result, you can't really decide if this search uses the lookup or not.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!