Solved: Is there a way to determine if different Splunk ru...

Ghanayem1974 · ‎04-11-2018

Is there a way to determine if different Splunk rules are utilizing the same input lookup table without looking through each rule?

damien_chillet · ‎04-12-2018

You can retrieve SPL for each rules and extract lookup names with a regex using something like this:

| rest /servicesNS/-/-/saved/searches
| rex field=search max_match=10 "inputlookup\s+(append=true\s+)?(?P<lookup>[^\.\s\]]+)"
| mvexpand lookup
| fields title lookup
| stats values(title) by lookup

Tweak regex depending on your use case (this one extract lookups that appear after the inputlookup command).

View solution in original post

damien_chillet · ‎04-12-2018

You can retrieve SPL for each rules and extract lookup names with a regex using something like this:

| rest /servicesNS/-/-/saved/searches
| rex field=search max_match=10 "inputlookup\s+(append=true\s+)?(?P<lookup>[^\.\s\]]+)"
| mvexpand lookup
| fields title lookup
| stats values(title) by lookup

Tweak regex depending on your use case (this one extract lookups that appear after the inputlookup command).

Is there a way to determine if different Splunk rules are utilizing the same input lookup table without looking through each rule?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Is there a way to determine if different Splunk rules are utilizing the same input lookup table without looking through each rule?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits