Splunk Search

Request: Lookup Search Ability

edschembor
Path Finder

It would be very convenient to be able to see all of the dashboards in which a lookup is being used - that way if I want to clone/rename a lookup, I know which dashboard panels I need to also change.

0 Karma
1 Solution

the_wolverine
Champion

You could go to "manage views" and search for "lookup". That would return all queries where in-line search syntax contains the lookup.

Similarly, you could do the same within the "saved searches & reports" management UI.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

That's an explicit lookup called from within the search... however, many lookups are used as an automatic lookup configured to be automatically added to a sourcetype. Those aren't easy to find, and usually are the ones you miss when looking for them by hand.

0 Karma

the_wolverine
Champion

You could go to "manage views" and search for "lookup". That would return all queries where in-line search syntax contains the lookup.

Similarly, you could do the same within the "saved searches & reports" management UI.

martin_mueller
SplunkTrust
SplunkTrust

Alternatively, you can find saved searches using an explicit lookup, inputlookup, outputlookup command using this:

| rest /servicesNS/user/app/saved/searches | table title eai:acl.app eai:acl.owner search | rex max_match=0 field=search "(?i)\|\s*(input|output)?lookup\s+([^=|]+=[^=|]\s+)*(?<lookup>\w+)" | search lookup=*

The lookups used are extracted into the field lookup... provided I didn't miss odd cases in my QnD regex 🙂

0 Karma

edschembor
Path Finder

But that's not a lookup. If you have " lookup local=1 lookup_name foo OUTPUT blah", then you could have a regex search to find all lookups which call lookup_name. Also this is just a feature request, not looking for an answer

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I don't think that's a question that can be reasonably answered.

Here's a simple example why I have doubts:
Say you have a lookup defined for sourcetype foo. The lookup search algorithm would obviously flag all searches (and hence dashboards using them) that search for sourcetype="foo".
However, what if you have a search for index=bar with no sourcetype specified? The index may or may not contain the foo sourcetype, and this may change over time with new events arriving and old events getting removed. As a result, you can't really decide if this search uses the lookup or not.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...