Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

List all the dashboards using specific metrics index

BEN_
Engager
‎12-05-2023 06:32 AM

I would like to find a way to list the dependency between dashboards and indexes.

I'm using the following query to get the list of all the Dashboards using the index Oracle which is an event Index.

 

 

 

 

 

 

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views"
| search "eai:data"="*index=oracle*"
| eval Type="Dashboards"
| table Type title eai:acl.app author eai:acl.perms.read

 

 

 

 

 

 

This query is working fine but not for Metrics index.

Am I missing something ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-13-2023 01:24 PM

There is no good reason why it would not find it if it is present. You should be able to figure out the issue by just finding a single dashboard you know has that expression and running this

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search title="xyz"
| eval match=if(match('eai:data', "(?i)index=murex_metrics", 1, 0)
| table match eai:data

replace xyz with your dashboard title and then you will have two columns match and eai:data - match will be 1 or 0 depending if found and you should be able to do a visual check on the data

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-05-2023 03:00 PM

Your search= statement is simply looking for that index=oracle somewhere in the dashboard. If you have index="oracle" or index = oracle then it won't match, so it may be better to do a regex where clause, where you do

...
| where match('eai:data', "(?i)index\s*(=[\s\"]*|in\s+\([\w,]*)oracle")

what is an example of a metrics index search that is not showing up?

 

0 Karma
Reply
Solved! Jump to solution

BEN_
Engager
‎12-12-2023 07:41 AM

Thank you for your response. I'm using explicitly the index="oracle" as an example to confirm when the search works fine for an index event. When I use the same search for Metrics index (replacing index="oracle" by index="murex_metrics")   it doesn't work knowing that we have existent dashboards using this metrics index.

here the  example of a metrics index search

 

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search "eai:data"="*index=murex_metrics*"

 

 thanks

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-13-2023 01:24 PM

There is no good reason why it would not find it if it is present. You should be able to figure out the issue by just finding a single dashboard you know has that expression and running this

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search title="xyz"
| eval match=if(match('eai:data', "(?i)index=murex_metrics", 1, 0)
| table match eai:data

replace xyz with your dashboard title and then you will have two columns match and eai:data - match will be 1 or 0 depending if found and you should be able to do a visual check on the data

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-14-2023 04:16 AM

@BEN_ - While this covers much of what you are trying to find. It's important to keep in mind that this would not cover all the scenarios. Some example queries would not be covered by the query.

  • index IN (murex_metrics)
  • index=*
  • index=murex*
  • etc

 

0 Karma
Reply
Solved! Jump to solution

BEN_
Engager
‎12-14-2023 02:55 AM

Hi bowesmana,

Yes you are right. The query is working fine for both event and Metrics indexes. the problem was at level of the search filter.

I found that the search in the dashboard contains ""  {... WHERE "index"="murex_metrics" AND ... } this explains why the filter in my search "eai:data"="*index=murex_metrics*" didn't return any data.

Thanks again

 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...