Dashboards & Visualizations

Using Splunk 6.2.1, how do I export the details of configured reports, alerts, and dashboards in an Excel (CSV) file?

splunkvickyloui
Explorer

Hi,

We are using Splunk Enterprise 6.2.1. We have two separate search heads. In each search head we have configured many Reports, Alerts, and Dashboards. I want to export those Reports, Alerts, and Dashboards which configured by all the user to single excel (csv) file. Is there any search to have the below fields?

Owner | Title | Description | Search | earliest_time | latest_time | cron_schedule | Recipients | Type (Alert or Report or Dashboard)

Thanks in advance.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

| rest /servicesNS/-/-/saved/searches splunk_server=local | table author title description search dispatch.earliest_time dispatch.latest_time auto_summarize.cron_schedule action.email.to alert_comparator qualifiedSearch | eval Type=case(len(trim(qualifiedSearch))=4,"Dashboard",len(alert_comparator)=0,"Report",1=1,"Alert") | fields - alert_comparator qualifiedSearch | rename author as Owner title as Title description as Description search as Search dispatch.earliest_time as Earliest_time dispatch.latest_time as Latest_time auto_summarize.cron_schedule as Cron_Schedule action.email.to as Receipients

View solution in original post

puneethgowda
Communicator

Is it possible to export dashboard with multiple tables into Excel

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

| rest /servicesNS/-/-/saved/searches splunk_server=local | table author title description search dispatch.earliest_time dispatch.latest_time auto_summarize.cron_schedule action.email.to alert_comparator qualifiedSearch | eval Type=case(len(trim(qualifiedSearch))=4,"Dashboard",len(alert_comparator)=0,"Report",1=1,"Alert") | fields - alert_comparator qualifiedSearch | rename author as Owner title as Title description as Description search as Search dispatch.earliest_time as Earliest_time dispatch.latest_time as Latest_time auto_summarize.cron_schedule as Cron_Schedule action.email.to as Receipients

splunkvickyloui
Explorer

Thanks a lot somesoni2.

this part is not pulling the proper result. Here alert_comparator gives the result as "greater than" and qualifiedsearch displays my search query.

alert_comparator qualifiedSearch | eval Type=case(len(trim(qualifiedSearch))=4,"Dashboard",len(alert_comparator)=0,"Report",1=1,"Alert") | fields - alert_comparator qualifiedSearch 

I am trying to pull the alert, report and dashboard details which configured under default search app and other deployed apps.

Thanks in advance.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So the "Reports" and "Alert" categorization is correct but "Dashboard" is not correct?

0 Karma

splunkvickyloui
Explorer

Yes. Reports and Alerts categorizations are correct. Only "Dashboard" categorization shows few currently available dashboards and few currently unavailable dashboards.

Note: Few alerts which scheduled to monitor in real time (rt) was listed as reports. I have changed the real time monitoring to cron scheduled one. Now they are fine.

Thanks for helping me.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The above search is showing scheduled (PDF delivery) dashboards under "Dashboard' category. I guess we can consider them as report. You can get information about the dashboards (forms and dashboards) by using following. Note all fields from above search will not apply to dashboards.

| rest /servicesNS/-/-/saved/searches splunk_server=local | table author title description search dispatch.earliest_time dispatch.latest_time auto_summarize.cron_schedule action.email.to alert_comparator | eval Type=case(len(alert_comparator)=0,"Report",1=1,"Alert") | fields - alert_comparator | append [ | rest /servicesNS/-/-/data/ui/views | table author title description  | eval Type="Dashboard" ] | fillnull value="NA" | rename author as Owner title as Title description as Description search as Search dispatch.earliest_time as Earliest_time dispatch.latest_time as Latest_time auto_summarize.cron_schedule as Cron_Schedule action.email.to as Receipients
0 Karma

splunkvickyloui
Explorer

Thanks again somesoni2. This pulls Report, Alerts and Dashboards. 🙂

But Dashboards are not pulling "Description", Search" and "Recipients". It would be great if you can help me on that as well.

I really appreciate your help on this.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this for getting description. The field search and recipients are not applicable to Dashboards (it can have multiple searches and it's not been sent to anyone).

| rest /servicesNS/-/-/saved/searches splunk_server=local | table author title description search dispatch.earliest_time dispatch.latest_time auto_summarize.cron_schedule action.email.to alert_comparator | eval Type=case(len(alert_comparator)=0,"Report",1=1,"Alert") | fields - alert_comparator | append [ | rest /servicesNS/-/-/data/ui/views | rex field=eai:data "\<description\>(?<description>.*)\<\/description\>"| table author title description  | eval Type="Dashboard" ] | fillnull value="NA" | rename author as Owner title as Title description as Description search as Search dispatch.earliest_time as Earliest_time dispatch.latest_time as Latest_time auto_summarize.cron_schedule as Cron_Schedule action.email.to as Receipients
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...