Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Find knowledge Objects that are using sourcetypes

vamsigurram
Path Finder
‎10-23-2020 06:59 AM

I need to find the users that are using sourcetypes in their savedsearches (reports/dashboards).

I have list of sourcetypes in csv file.

 

SPL1:(this gives me source type list)

| inputlookup sourcetypelist.csv  

 

SPL2: (this gives list of savedsearches and their search string used). I see 1200 rows here.

| rest /servicesNS/-/search/saved/searches | search search="*sourcetype*"
| fields qualifiedSearch search title author

 

I need to combine the above 2 SPL's (inner join, append, sub search. I am not sure), to find only those saved seaches that are using the specfic sourcetypes (listed from SPL1, above.), in their savedsearch SPL's,  

 

| rest /servicesNS/-/search/saved/searches | search search="*sourcetype*"
| fields qualifiedSearch search title author | where match(search,"osma")

As seen highlighted above match   function (osma is one of the sourcetype value) takes string/regex, but not variable. I cannot do this | where match(search, $sourcetype_variable$)

I would appreciate if someone can help me here.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vamsigurram
Path Finder
‎10-23-2020 11:04 AM

I found the issue in the lookup.

This is working.

| rest /servicesNS/-/-/saved/searches
| search search="*sourcetype=*"
| fields qualifiedSearch search title author
| rex field=qualifiedSearch "sourcetype=\s*\"*(?<st>[^\"\ \)]+)"
| eval st = lower(st)
| lookup temp_pvsi_sourcetypes.csv sourcetype as st OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2020 07:34 AM

See if this helps

| rest /servicesNS/-/search/saved/searches 
| search search="*sourcetype*"
| fields qualifiedSearch search title author 
| rex field=qualifiedSearch "sourcetype\s*=\s*(?<st>[\w\*]+)"
| lookup sourcetypelist.csv st as sourcetype OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

vamsigurram
Path Finder
‎10-23-2020 11:04 AM

I found the issue in the lookup.

This is working.

| rest /servicesNS/-/-/saved/searches
| search search="*sourcetype=*"
| fields qualifiedSearch search title author
| rex field=qualifiedSearch "sourcetype=\s*\"*(?<st>[^\"\ \)]+)"
| eval st = lower(st)
| lookup temp_pvsi_sourcetypes.csv sourcetype as st OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)

0 Karma
Reply
Solved! Jump to solution

vamsigurram
Path Finder
‎10-23-2020 09:34 AM

I updated rex. But Lookup is giving issue.

| rest /servicesNS/-/search/saved/searches
| search search="*sourcetype=*"
| fields qualifiedSearch search title author
| rex field=qualifiedSearch "sourcetype=\s*\"*(?<st>[^\"\ \)]+)"
| eval st = lower(st)
| lookup sourcetypelist.csv st as sourcetype OUTPUT sourcetype as sourcetypefound
| where isnotnull(sourcetypefound)

 

Error in 'lookup' command: Could not construct lookup 'sourcetypelist.csv, st, as, sourcetype, OUTPUT, sourcetype, as, sourcetypefound'. See search.log for more details.

 

| inputlookup temp_pvsi_sourcetypes.csv (this gives fields index, sourcetype)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...