Splunk Search

Find knowledge Objects that are using sourcetypes

vamsigurram
Path Finder

I need to find the users that are using sourcetypes in their savedsearches (reports/dashboards).

I have list of sourcetypes in csv file.

 

SPL1:(this gives me source type list)

| inputlookup sourcetypelist.csv  

 

SPL2: (this gives list of savedsearches and their search string used). I see 1200 rows here.

| rest /servicesNS/-/search/saved/searches | search search="*sourcetype*"
| fields qualifiedSearch search title author

 

I need to combine the above 2 SPL's (inner join, append, sub search. I am not sure), to find only those saved seaches that are using the specfic sourcetypes (listed from SPL1, above.), in their savedsearch SPL's,  

 

| rest /servicesNS/-/search/saved/searches | search search="*sourcetype*"
| fields qualifiedSearch search title author | where match(search,"osma")

As seen highlighted above match   function (osma is one of the sourcetype value) takes string/regex, but not variable. I cannot do this | where match(search, $sourcetype_variable$)

I would appreciate if someone can help me here.

Labels (1)
0 Karma
1 Solution

vamsigurram
Path Finder

I found the issue in the lookup.

This is working.

| rest /servicesNS/-/-/saved/searches
| search search="*sourcetype=*"
| fields qualifiedSearch search title author
| rex field=qualifiedSearch "sourcetype=\s*\"*(?<st>[^\"\ \)]+)"
| eval st = lower(st)
| lookup temp_pvsi_sourcetypes.csv sourcetype as st OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

See if this helps

| rest /servicesNS/-/search/saved/searches 
| search search="*sourcetype*"
| fields qualifiedSearch search title author 
| rex field=qualifiedSearch "sourcetype\s*=\s*(?<st>[\w\*]+)"
| lookup sourcetypelist.csv st as sourcetype OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)
---
If this reply helps you, Karma would be appreciated.
0 Karma

vamsigurram
Path Finder

I found the issue in the lookup.

This is working.

| rest /servicesNS/-/-/saved/searches
| search search="*sourcetype=*"
| fields qualifiedSearch search title author
| rex field=qualifiedSearch "sourcetype=\s*\"*(?<st>[^\"\ \)]+)"
| eval st = lower(st)
| lookup temp_pvsi_sourcetypes.csv sourcetype as st OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)

0 Karma

vamsigurram
Path Finder

I updated rex. But Lookup is giving issue.

| rest /servicesNS/-/search/saved/searches
| search search="*sourcetype=*"
| fields qualifiedSearch search title author
| rex field=qualifiedSearch "sourcetype=\s*\"*(?<st>[^\"\ \)]+)"
| eval st = lower(st)
| lookup sourcetypelist.csv st as sourcetype OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)

 

Error in 'lookup' command: Could not construct lookup 'sourcetypelist.csv, st, as, sourcetype, OUTPUT, sourcetype, as, sourcetypefound'. See search.log for more details.

 

| inputlookup temp_pvsi_sourcetypes.csv (this gives fields index, sourcetype)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...