Splunk Enterprise Security

How to know where a particular eventtype is used ?

zacksoft_wf
Communicator

I have an eventtype that I want to delete, But before that I want to make sure that the eventtype isn't used anywhere , like in any datamodel, any correlation search, savedsearch , dashboard, tags etc....

Is there a way , I can figure out where in the Splunk  an eventtype is used ?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You'll have to search each object type for the eventtype in question.  Use the various REST commands at your disposal.

For correlation and saved searches, reports, and alerts (the same thing, really):

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search search="*<<eventtype name>>*"
| table title eai:acl.app author search

For dashboards:

| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search eai:data="*<<eventtype name>>*"
| table title eai:acl.app author eai:data

For datamodels:

| rest /servicesNS/-/-/data/models splunk_server=local
| search eai:data="*<<eventtype name>>*"
| table title eai:acl.app author eai:data

For tags:

| rest /services/configs/conf-tags splunk_server=local 
| search title="eventtype=<<eventtype name>>"
| table title author eai:acl.app
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!