How to know where a particular eventtype is used ...

zacksoft_wf · ‎09-21-2021

I have an eventtype that I want to delete, But before that I want to make sure that the eventtype isn't used anywhere , like in any datamodel, any correlation search, savedsearch , dashboard, tags etc....

Is there a way , I can figure out where in the Splunk an eventtype is used ?

richgalloway · ‎09-21-2021

You'll have to search each object type for the eventtype in question. Use the various REST commands at your disposal.

For correlation and saved searches, reports, and alerts (the same thing, really):

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search search="*<<eventtype name>>*"
| table title eai:acl.app author search

For dashboards:

| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search eai:data="*<<eventtype name>>*"
| table title eai:acl.app author eai:data

For datamodels:

| rest /servicesNS/-/-/data/models splunk_server=local
| search eai:data="*<<eventtype name>>*"
| table title eai:acl.app author eai:data

For tags:

| rest /services/configs/conf-tags splunk_server=local 
| search title="eventtype=<<eventtype name>>"
| table title author eai:acl.app

---
If this reply helps you, Karma would be appreciated.

How to know where a particular eventtype is used ?

using Enterprise Security

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to know where a particular eventtype is used ?

using Enterprise Security

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...