I have a dashboard that lists/groups recently updated dashboards and I just wanted to know if there was a way to also add another column to view and search the indexes of those same dashboards.
Here is my code below
<table> <search> <query>index=_internal source=*web_access.log* /app/ action=edit | rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" | table dashboard_name, _time, app_name, user </query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table>
By the way- I am referring to the indices that the searches inside the dashboard belong to.
You pust pull the searches that are used on the dashboards from the xml. Tricky but is that it can also Use Savedsearches.
we created a REST search, that lists all the dashboard with there searches that are used on them (in_line or savesearch, and what is the search). It's not exactly what you want, but you could use it to extract the searches from your dasboards.
| rest /servicesNS/-/-/data/ui/views splunk_server=* | rename eai:* as * | rename acl.* as * | search isVisible=1 | fields title data app | makemv veld2 delim="," | rex field=data max_match=0 "query\>(?<veld2>[^\<]+).*\<\/query" | mvexpand veld2 | eval Applicatie=app | eval Dashboard=title | eval search=veld2 | fields search Applicatie Dashboard | dedup search Applicatie Dashboard | append [| rest /servicesNS/-/-/saved/searches/ splunk_server=* | dedup title | rename eai:* as * | rename acl.* as * | search sharing!=user | rename title as searchname | fields searchname is_scheduled search app | dedup searchname is_scheduled search app | join max=0 searchname [| rest /servicesNS/-/-/data/ui/views splunk_server=* | rename eai:* as * | rename acl.* as * | search isVisible=1 sharing!=user | fields title data app | makemv savedsearch delim="," | rex field=data max_match=0 "search ref=\"(?<savedsearch>[^\"]+)\"" | mvexpand savedsearch | eval Applicatie=app | eval Dashboard=title | rename savedsearch as searchname | fields searchname Applicatie Dashboard | dedup searchname Applicatie Dashboard ]] | fields Dashboard, Applicatie, search, searchname, is_scheduled | eval is_scheduled=if(isnull(is_scheduled),"inline-search",is_scheduled)
are you referring to the indicies that the searches inside the dashboard belong to? so if you have a dashboard with two panels and one panel has a search in index=a and another panel with a search in index=b, you want to know that that dashboard "belongs" to indices a and b?