Solved: Export Dashboard XML as CSV for Version Control

daniel_rico · ‎08-11-2017

I have a relatively simple use case but I'm having trouble getting it done. I would like to export the label, description, title and query of each dashboard within my app.

I've gotten as far as this (please don't base your answer on what I have so far unless it's going down the right path 🙂 )

| rest /servicesNS/-/-/data/ui/views 
| search isDashboard=1 eai:acl.app=$APPNAME$ 
| rex max_match=0 field=eai:data "\<description\>(?<DESCRIPTION>.*?)(?:\<\/description\>*?)" 
| rex max_match=0 field=eai:data "\<label\>(?<DB_GROUP>.*?)(?:\<\/label\>*?)" 
| rex max_match=0 field=eai:data "\<title\>(?<DB_NAME>.*?)(?:\<\/title\>*?)"
| rex max_match=0 field=eai:data "\<query\>(?<QUERY>.*?)(?:\<\/query\>*?)" 
| mvexpand DB_NAME
| mvexpand QUERY
| table DB_GROUP DB_NAME DESCRIPTION QUERY eai:acl.app
| dedup QUERY

I'm completely aware that the regex is probably not optimized/etc. and I'll fix that later on.

The primary issue is that the query is going to be a multivalue field, as well as the title. The two mvexpand() commands causing a little dilemma as I'm never "recombining" those values into one field that I can re-extract. This leads to an issue where the table values aren't a 1:1 match.

I was thinking that mvindex() may be the solution but I'm not entirely sure how I'd implement it. Again, spitting in the dark here so any help is much appreciated.

niketn · ‎08-12-2017

@daniel.rico@firstdata.com, as far as your rex is working fine, DB_NAME and QUERY should be multi-value field as Dashboard will have only one description and label.

You can use mvzip() to map multi-valued 1:1. PS: I have used <> as the delimiter since query field is ideally not expected to have < or >, which are escaped as < and > respectively. Then you can use mvexpand command on the new stitched multi-valued field. The split() and mvindex() functions are used to bring back title and query from each panel.

<YourBaseSearch>
| eval DashboardMeta=mvzip(DB_NAME,QUERY,"<>")
| mvexpand DashboardMeta
| eval DashboardMeta=split(DashboardMeta,"<>")
| eval DB_NAME=mvindex(DashboardMeta,0)
| eval QUERY=mvindex(DashboardMeta,1)
| table DESCRIPTION DB_GROUP DB_NAME QUERY

PS: mvzip expects 1 to 1 fields present in both multi-valued fields being stitched. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-12-2017

@daniel.rico@firstdata.com, as far as your rex is working fine, DB_NAME and QUERY should be multi-value field as Dashboard will have only one description and label.

You can use mvzip() to map multi-valued 1:1. PS: I have used <> as the delimiter since query field is ideally not expected to have < or >, which are escaped as < and > respectively. Then you can use mvexpand command on the new stitched multi-valued field. The split() and mvindex() functions are used to bring back title and query from each panel.

<YourBaseSearch>
| eval DashboardMeta=mvzip(DB_NAME,QUERY,"<>")
| mvexpand DashboardMeta
| eval DashboardMeta=split(DashboardMeta,"<>")
| eval DB_NAME=mvindex(DashboardMeta,0)
| eval QUERY=mvindex(DashboardMeta,1)
| table DESCRIPTION DB_GROUP DB_NAME QUERY

PS: mvzip expects 1 to 1 fields present in both multi-valued fields being stitched. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

daniel_rico · ‎08-14-2017

Appears to work - I have to do some further testing but this seems like what I need - I didn't think of trying that delim out - Awesome!

Export Dashboard XML as CSV for Version Control

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI