Solved: Is there any way to track deleted lookup files?

buttsurfer · ‎01-10-2023

I'm trying to identify all the dashboards broken from lookup files being deleted. But since there's way too many dashboards, is there any not-so-manual way to find out all the inconsistencies regarding lookup files without running the dashboards one by one?

richgalloway · ‎01-10-2023

Here is a query that fetches all of the lookups referenced by dashboards and compares that to the lookups defined on the system.

| rest /servicesNS/-/-/data/ui/views splunk_server=local 
| search * 
| rename eai:data as data title as dashboard
```Look for 'lookup' and 'inputlookup' commands in the dashboard ("view")```
| regex data="\|\s*(?:lookup|inputlookup)\s+" 
```Get the first 2 arguments to the command```
| rex max_match=0 field=data "\|\s*(?:lookup|inputlookup)\s+(?<kw1>[^\s\]]+)\s+(?<kw2>[^\s\]]+)" 
```Zip the arguments together so we can retain the pairing during mxexpand```
| eval kws=mvzip(kw1,kw2)
| mvexpand kws
```Separate the args```
| eval kws=split(kws, ",")
| eval kw1=mvindex(kws,0), kw2=mvindex(kws,1)
```If the first argument is "append=<something>" then the lookup name is in the 2nd arg```
| eval lookup=if(match(kw1,"append=\w+"), kw2, kw1)
| dedup dashboard eai:acl.app eai:acl.owner lookup
| search NOT 
    ```Build a list of existing lookups to exclude from the results```
    [| rest /servicesNS/-/-/data/lookup-table-files 
    | fields title 
    | rename title as lookup 
    | append 
        [| rest /servicesNS/-/-/data/props/lookups 
        | fields transform 
        | rename transform as lookup ] 
    | dedup lookup 
    | format] 
| table dashboard eai:acl.app eai:acl.owner lookup

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-10-2023

Here is a query that fetches all of the lookups referenced by dashboards and compares that to the lookups defined on the system.

| rest /servicesNS/-/-/data/ui/views splunk_server=local 
| search * 
| rename eai:data as data title as dashboard
```Look for 'lookup' and 'inputlookup' commands in the dashboard ("view")```
| regex data="\|\s*(?:lookup|inputlookup)\s+" 
```Get the first 2 arguments to the command```
| rex max_match=0 field=data "\|\s*(?:lookup|inputlookup)\s+(?<kw1>[^\s\]]+)\s+(?<kw2>[^\s\]]+)" 
```Zip the arguments together so we can retain the pairing during mxexpand```
| eval kws=mvzip(kw1,kw2)
| mvexpand kws
```Separate the args```
| eval kws=split(kws, ",")
| eval kw1=mvindex(kws,0), kw2=mvindex(kws,1)
```If the first argument is "append=<something>" then the lookup name is in the 2nd arg```
| eval lookup=if(match(kw1,"append=\w+"), kw2, kw1)
| dedup dashboard eai:acl.app eai:acl.owner lookup
| search NOT 
    ```Build a list of existing lookups to exclude from the results```
    [| rest /servicesNS/-/-/data/lookup-table-files 
    | fields title 
    | rename title as lookup 
    | append 
        [| rest /servicesNS/-/-/data/props/lookups 
        | fields transform 
        | rename transform as lookup ] 
    | dedup lookup 
    | format] 
| table dashboard eai:acl.app eai:acl.owner lookup

---
If this reply helps you, Karma would be appreciated.

Is there any way to track deleted lookup files?

using Splunk Enterprise

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Is there any way to track deleted lookup files?

using Splunk Enterprise

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine