Is there a way to determine if different Splunk rules are utilizing the same input lookup table without looking through each rule?
You can retrieve SPL for each rules and extract lookup names with a regex using something like this:
| rest /servicesNS/-/-/saved/searches
| rex field=search max_match=10 "inputlookup\s+(append=true\s+)?(?P<lookup>[^\.\s\]]+)"
| mvexpand lookup
| fields title lookup
| stats values(title) by lookup
Tweak regex depending on your use case (this one extract lookups that appear after the inputlookup command).
View solution in original post