Splunk Search

How to find all Dashboards, Reports and Alerts related to a specific index ?

john_glasscock
Path Finder

Our Splunk instance is being overhauled and I need to update all of the content that has been built. We have some indexes that are changing name, and I am looking for a query that I can run to find all Dashboards, Reports and Alerts that are based of specific indexes.

I.E. index=main is changing to index=core.

I need to search for all Dashboards, Reports and Alerts that reference index=main so I can change them to index=core.

Tags (1)

jaxjohnny2000
Builder

Try this:

| rest /servicesNS/-/-/data/ui/views splunk_server_group=*
| search ("eai:data"=*query*)
| regex eai:data="<search.*"
| rex field=eai:data "(?P<theSearch><search(?!String)[^>]*>[^<]*<query>.*?)<\/query>" max_match=200
| mvexpand theSearch
| rex field=theSearch "<search(?P<searchInfo>[^>]*)>[^<]*<query>(?P<theQuery>.*)"
| rename "eai:acl.owner" as owner, "eai:acl.sharing" as sharing, "eai:appName" as application, label as name
| table name, title, application, owner, sharing, splunk_server, theQuery
| search theQuery="***" owner=***
| rename name as "Friendly Name", title as Title, theQuery AS "Panel Content"

***************

place your index name in theQuery search

***************

Try this as a dashboard:

<form>
<label>FNF: Dashboard Search</label>
<description>This dashboard will search content across infrastructure for embedded code in any panel searches</description>
<fieldset submitButton="false">
<input type="dropdown" token="varSplunkServerGroup" searchWhenChanged="true">
<label>Select Splunk Server Group</label>
<choice value="*">All Servers</choice>
<choice value="es_shc">ES Search Heads</choice>
<choice value="adhoc_shc">Ad-Hoc Search Heads</choice>
<choice value="dmc_group_cluster_master">Cluster Master</choice>
<choice value="dmc_customgroup_monitoring_console">Monitoring Console</choice>
<choice value="dmc_group_indexer">Indexers</choice>
<choice value="dmc_group_license_master">License Server</choice>
<choice value="dmc_group_hfs">Heavy Forwarders</choice>
<choice value="dmc_group_deployment_server">Deployment Server</choice>
<choice value="dmc_group_search_head">All Search Heads</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="varOwner" searchWhenChanged="true">
<label>Owner Search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="varContentSearch" searchWhenChanged="true">
<label>Content Search</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| rest /servicesNS/-/-/data/ui/views splunk_server_group=$varSplunkServerGroup$
| search ("eai:data"=*query*)
| regex eai:data="&lt;search.*"
| rex field=eai:data "(?P&lt;theSearch&gt;&lt;search(?!String)[^&gt;]*&gt;[^&lt;]*&lt;query&gt;.*?)&lt;\/query&gt;" max_match=200
| mvexpand theSearch
| rex field=theSearch "&lt;search(?P&lt;searchInfo&gt;[^&gt;]*)&gt;[^&lt;]*&lt;query&gt;(?P&lt;theQuery&gt;.*)"
| rename "eai:acl.owner" as owner, "eai:acl.sharing" as sharing, "eai:appName" as application, label as name
| table name, title, application, owner, sharing, splunk_server, theQuery
| search theQuery=$varContentSearch$ owner=*$varOwner$*
| rename name as "Friendly Name", title as Title, theQuery AS "Panel Content"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no association between an index and the dashboards, reports, and alerts that reference it. You must search each all dashboards, reports, saved searches, alerts, macros, views, and eventtypes (I may have missed one or two) for "index=main". Don't forget private knowledge objects, although you could make each user responsible for making his own changes.

There are REST commands available to help with this. Depending on the size of your Splunk environment, you may be able to shell commands to do the same thing on the command line.

---
If this reply helps you, an upvote would be appreciated.

dmarling
Builder

This is somewhat of a difficult question as you may have to also look at eventtypes, macros, prebuilt panels, and datamodels addition to dashboards as the dashboard may reference one of those that also contains those indexes. Here's what I use for stuff like this:

| union 
    [| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
    | search "eai:data"="*index=main*" 
    | eval Type="Dashboards" 
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] 
    [| rest splunk_server="local" "/servicesNS/-/-/saved/eventtypes" 
    | search search="*index=main*"
    | eval Type="Eventtypes"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/data/ui/panels"
    | search "eai:data"="*index=main*"
    | eval Type="Pre Built Panels"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/admin/macros"
    | search definition="*index=main*"
    | eval Type="Macros"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/data/models"
    | search "eai:data"="*index=main*"
    | eval Type="Data Models"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
    | search search="*index=main*"
    | eval Type="Saved Searches/Alerts/Reports"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]

The search line on each subsearch limits the results to only ones that contain "index=main" on the knowledge object. If it's a different index name, just adjust those lines to the appropriate one.

If this comment/answer was helpful, please up vote it. Thank you.

milangurung
Engager

This search has been a life saver. Thank you so very much @dmarling.

I have updated the search slightly using rex to deal with any spaces and double quotes eg. index = "main".
This search assumes your index name consists of alphabets and underscores only. Modify rex as necessary.

 

| union
[| rest splunk_server="local" "/servicesNS/-/-/data/ui/views"
| rex field="eai:data" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Dashboards"
| search title=indian_h2h_carriers_tpr_utilization_prototype
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/saved/eventtypes"
| rex field=search max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Eventtypes"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/data/ui/panels"
| rex field="eai:data" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Panels"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/admin/macros"
| rex field=definition max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Macros"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/data/models"
| rex field="eai:data" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Data Models"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| rex field="search" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Saved Searches/Alerts/Reports"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

milangurung
Engager

Oops. Please remove this line from the search above (unable to edit older posts?):

| search title=indian_h2h_carriers_tpr_utilization_prototype

0 Karma

dmarling
Builder

I like it! 🙂

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

Hemnaath
Motivator

Hey I have to find the dashboard,saved searches, alerts, data models and other Knowledge object associated with specific index and the source type.

Reason: We are  performing  an impact analysis on the application data which are already getting ingested into splunk, as in future the same application data will be ingested from bolt application, so that when Bolt application is fully functional we can identify and correct if something is going wrong.

I have gone through the rest query which you had posted which helped me a lots to get some information but I wanted to include the source type details along with the your query, but no luck can you correct me if this is not way we need to search using the rest api.

To find saved searches configured for specific index and source type.

| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| rex field="qualifiedSearch" "index\s*=\s*\"*(?<indexes_used>[^\s+]*)" max_match=0
| rex field="qualifiedSearch" "sourcetype\=(?<sourcetype>[^\s+]+)" max_match=0
| search indexes_used="main" OR sourcetype="test:api:txt"
| eval Type="Saved Searches/Alerts/Reports"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this works on 8.1.0

| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| table *search*
| regex search = sourcetype
| rex field="search" "index\s*=\s*\"*(?<indexes_used>[^\s+]*)" max_match=0
| rex field="search" "sourcetype\=(?<sourcetype>[^\s+]+)" max_match=0
```| search indexes_used="main" OR sourcetype="test:api:txt"```
| eval Type="Saved Searches/Alerts/Reports"
| table Type search title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write

 

The field where the actual search is is "search" not "qualifiedSearch"

r. Ismo 

0 Karma

Hemnaath
Motivator

hey thanks it worked in 7.29  version. 

0 Karma

iparitosh
Path Finder

I don't have access to splunk right now but I can help with the algorithm-

  • Use ---> | rest splunk-rest-api-endpoint-for-savedsearches and |rest splunk-rest-api-endpoint-for-views commands to get details of all dashbaord and saved searches (reports and alerts) in a table format.
  • use fields command to narrow down the required fields which also include the search query
  • use regex commands to check for the use of index in the query.
  • use stats command to build a report of dashboards, reports and alerts by each index.

Hope it helps!

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...