How to know where a particular eventtype is used ...

zacksoft_wf · ‎09-21-2021

I have an eventtype that I want to delete, But before that I want to make sure that the eventtype isn't used anywhere , like in any datamodel, any correlation search, savedsearch , dashboard, tags etc....

Is there a way , I can figure out where in the Splunk an eventtype is used ?

richgalloway · ‎09-21-2021

You'll have to search each object type for the eventtype in question. Use the various REST commands at your disposal.

For correlation and saved searches, reports, and alerts (the same thing, really):

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search search="*<<eventtype name>>*"
| table title eai:acl.app author search

For dashboards:

| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search eai:data="*<<eventtype name>>*"
| table title eai:acl.app author eai:data

For datamodels:

| rest /servicesNS/-/-/data/models splunk_server=local
| search eai:data="*<<eventtype name>>*"
| table title eai:acl.app author eai:data

For tags:

| rest /services/configs/conf-tags splunk_server=local 
| search title="eventtype=<<eventtype name>>"
| table title author eai:acl.app

---
If this reply helps you, Karma would be appreciated.

How to know where a particular eventtype is used ?

using Enterprise Security

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas