Solved: Is there any way to track deleted lookup files?

buttsurfer · ‎01-10-2023

I'm trying to identify all the dashboards broken from lookup files being deleted. But since there's way too many dashboards, is there any not-so-manual way to find out all the inconsistencies regarding lookup files without running the dashboards one by one?

richgalloway · ‎01-10-2023

Here is a query that fetches all of the lookups referenced by dashboards and compares that to the lookups defined on the system.

| rest /servicesNS/-/-/data/ui/views splunk_server=local 
| search * 
| rename eai:data as data title as dashboard
```Look for 'lookup' and 'inputlookup' commands in the dashboard ("view")```
| regex data="\|\s*(?:lookup|inputlookup)\s+" 
```Get the first 2 arguments to the command```
| rex max_match=0 field=data "\|\s*(?:lookup|inputlookup)\s+(?<kw1>[^\s\]]+)\s+(?<kw2>[^\s\]]+)" 
```Zip the arguments together so we can retain the pairing during mxexpand```
| eval kws=mvzip(kw1,kw2)
| mvexpand kws
```Separate the args```
| eval kws=split(kws, ",")
| eval kw1=mvindex(kws,0), kw2=mvindex(kws,1)
```If the first argument is "append=<something>" then the lookup name is in the 2nd arg```
| eval lookup=if(match(kw1,"append=\w+"), kw2, kw1)
| dedup dashboard eai:acl.app eai:acl.owner lookup
| search NOT 
    ```Build a list of existing lookups to exclude from the results```
    [| rest /servicesNS/-/-/data/lookup-table-files 
    | fields title 
    | rename title as lookup 
    | append 
        [| rest /servicesNS/-/-/data/props/lookups 
        | fields transform 
        | rename transform as lookup ] 
    | dedup lookup 
    | format] 
| table dashboard eai:acl.app eai:acl.owner lookup

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-10-2023

Here is a query that fetches all of the lookups referenced by dashboards and compares that to the lookups defined on the system.

| rest /servicesNS/-/-/data/ui/views splunk_server=local 
| search * 
| rename eai:data as data title as dashboard
```Look for 'lookup' and 'inputlookup' commands in the dashboard ("view")```
| regex data="\|\s*(?:lookup|inputlookup)\s+" 
```Get the first 2 arguments to the command```
| rex max_match=0 field=data "\|\s*(?:lookup|inputlookup)\s+(?<kw1>[^\s\]]+)\s+(?<kw2>[^\s\]]+)" 
```Zip the arguments together so we can retain the pairing during mxexpand```
| eval kws=mvzip(kw1,kw2)
| mvexpand kws
```Separate the args```
| eval kws=split(kws, ",")
| eval kw1=mvindex(kws,0), kw2=mvindex(kws,1)
```If the first argument is "append=<something>" then the lookup name is in the 2nd arg```
| eval lookup=if(match(kw1,"append=\w+"), kw2, kw1)
| dedup dashboard eai:acl.app eai:acl.owner lookup
| search NOT 
    ```Build a list of existing lookups to exclude from the results```
    [| rest /servicesNS/-/-/data/lookup-table-files 
    | fields title 
    | rename title as lookup 
    | append 
        [| rest /servicesNS/-/-/data/props/lookups 
        | fields transform 
        | rename transform as lookup ] 
    | dedup lookup 
    | format] 
| table dashboard eai:acl.app eai:acl.owner lookup

---
If this reply helps you, Karma would be appreciated.

Is there any way to track deleted lookup files?

using Splunk Enterprise

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?