Re: How to find all Dashboards, Reports and Alerts...

john_glasscock · ‎05-16-2019

Our Splunk instance is being overhauled and I need to update all of the content that has been built. We have some indexes that are changing name, and I am looking for a query that I can run to find all Dashboards, Reports and Alerts that are based of specific indexes.

I.E. index=main is changing to index=core.

I need to search for all Dashboards, Reports and Alerts that reference index=main so I can change them to index=core.

jaxjohnny2000 · ‎08-24-2021

Try this:

| rest /servicesNS/-/-/data/ui/views splunk_server_group=*
| search ("eai:data"=*query*)
| regex eai:data="<search.*"
| rex field=eai:data "(?P<theSearch><search(?!String)[^>]*>[^<]*<query>.*?)<\/query>" max_match=200
| mvexpand theSearch
| rex field=theSearch "<search(?P<searchInfo>[^>]*)>[^<]*<query>(?P<theQuery>.*)"
| rename "eai:acl.owner" as owner, "eai:acl.sharing" as sharing, "eai:appName" as application, label as name
| table name, title, application, owner, sharing, splunk_server, theQuery
| search theQuery="***" owner=***
| rename name as "Friendly Name", title as Title, theQuery AS "Panel Content"

***************

place your index name in theQuery search

***************

Try this as a dashboard:

<form>
<label>FNF: Dashboard Search</label>
<description>This dashboard will search content across infrastructure for embedded code in any panel searches</description>
<fieldset submitButton="false">
<input type="dropdown" token="varSplunkServerGroup" searchWhenChanged="true">
<label>Select Splunk Server Group</label>
<choice value="*">All Servers</choice>
<choice value="es_shc">ES Search Heads</choice>
<choice value="adhoc_shc">Ad-Hoc Search Heads</choice>
<choice value="dmc_group_cluster_master">Cluster Master</choice>
<choice value="dmc_customgroup_monitoring_console">Monitoring Console</choice>
<choice value="dmc_group_indexer">Indexers</choice>
<choice value="dmc_group_license_master">License Server</choice>
<choice value="dmc_group_hfs">Heavy Forwarders</choice>
<choice value="dmc_group_deployment_server">Deployment Server</choice>
<choice value="dmc_group_search_head">All Search Heads</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="varOwner" searchWhenChanged="true">
<label>Owner Search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="varContentSearch" searchWhenChanged="true">
<label>Content Search</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| rest /servicesNS/-/-/data/ui/views splunk_server_group=$varSplunkServerGroup$
| search ("eai:data"=*query*)
| regex eai:data="<search.*"
| rex field=eai:data "(?P<theSearch><search(?!String)[^>]*>[^<]*<query>.*?)<\/query>" max_match=200
| mvexpand theSearch
| rex field=theSearch "<search(?P<searchInfo>[^>]*)>[^<]*<query>(?P<theQuery>.*)"
| rename "eai:acl.owner" as owner, "eai:acl.sharing" as sharing, "eai:appName" as application, label as name
| table name, title, application, owner, sharing, splunk_server, theQuery
| search theQuery=$varContentSearch$ owner=*$varOwner$*
| rename name as "Friendly Name", title as Title, theQuery AS "Panel Content"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

richgalloway · ‎05-16-2019

There is no association between an index and the dashboards, reports, and alerts that reference it. You must search each all dashboards, reports, saved searches, alerts, macros, views, and eventtypes (I may have missed one or two) for "index=main". Don't forget private knowledge objects, although you could make each user responsible for making his own changes.

There are REST commands available to help with this. Depending on the size of your Splunk environment, you may be able to shell commands to do the same thing on the command line.

---
If this reply helps you, Karma would be appreciated.

dmarling · ‎05-16-2019

This is somewhat of a difficult question as you may have to also look at eventtypes, macros, prebuilt panels, and datamodels addition to dashboards as the dashboard may reference one of those that also contains those indexes. Here's what I use for stuff like this:

| union 
    [| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
    | search "eai:data"="*index=main*" 
    | eval Type="Dashboards" 
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] 
    [| rest splunk_server="local" "/servicesNS/-/-/saved/eventtypes" 
    | search search="*index=main*"
    | eval Type="Eventtypes"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/data/ui/panels"
    | search "eai:data"="*index=main*"
    | eval Type="Pre Built Panels"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/admin/macros"
    | search definition="*index=main*"
    | eval Type="Macros"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/data/models"
    | search "eai:data"="*index=main*"
    | eval Type="Data Models"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]
    [| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
    | search search="*index=main*"
    | eval Type="Saved Searches/Alerts/Reports"
    | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]

The search line on each subsearch limits the results to only ones that contain "index=main" on the knowledge object. If it's a different index name, just adjust those lines to the appropriate one.

If this comment/answer was helpful, please up vote it. Thank you.

jasonwagner · ‎01-30-2024

Thanks for this! This worked for me in 9.1.2. Definitely nicer than my thought of grepping for the index name recursively from all /opt/splunk/etc/apps/search and /opt/splunk/etc/users.

ankitgupta3 · ‎02-16-2023

Great help !

andrea_l_davila · ‎10-06-2022

Love this one! TY

milangurung · ‎09-24-2020

This search has been a life saver. Thank you so very much @dmarling.

I have updated the search slightly using rex to deal with any spaces and double quotes eg. index = "main".
This search assumes your index name consists of alphabets and underscores only. Modify rex as necessary.

| union
[| rest splunk_server="local" "/servicesNS/-/-/data/ui/views"
| rex field="eai:data" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Dashboards"
| search title=indian_h2h_carriers_tpr_utilization_prototype
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/saved/eventtypes"
| rex field=search max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Eventtypes"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/data/ui/panels"
| rex field="eai:data" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Panels"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/admin/macros"
| rex field=definition max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Macros"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/data/models"
| rex field="eai:data" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Data Models"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

[| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| rex field="search" max_match=0 "index\s*=\s*\"*(?<indexes_used>[_a-zA-Z]*)"
| search indexes_used=main
| eval Type="Saved Searches/Alerts/Reports"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write]

milangurung · ‎11-12-2020

Oops. Please remove this line from the search above (unable to edit older posts?):

| search title=indian_h2h_carriers_tpr_utilization_prototype

dmarling · ‎09-25-2020

I like it! 🙂

If this comment/answer was helpful, please up vote it. Thank you.

Hemnaath · ‎11-11-2020

Hey I have to find the dashboard,saved searches, alerts, data models and other Knowledge object associated with specific index and the source type.

Reason: We are performing an impact analysis on the application data which are already getting ingested into splunk, as in future the same application data will be ingested from bolt application, so that when Bolt application is fully functional we can identify and correct if something is going wrong.

I have gone through the rest query which you had posted which helped me a lots to get some information but I wanted to include the source type details along with the your query, but no luck can you correct me if this is not way we need to search using the rest api.

To find saved searches configured for specific index and source type.

| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| rex field="qualifiedSearch" "index\s*=\s*\"*(?<indexes_used>[^\s+]*)" max_match=0
| rex field="qualifiedSearch" "sourcetype\=(?<sourcetype>[^\s+]+)" max_match=0
| search indexes_used="main" OR sourcetype="test:api:txt"
| eval Type="Saved Searches/Alerts/Reports"
| table Type title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write

isoutamo · ‎11-11-2020

Hi

this works on 8.1.0

| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| table *search*
| regex search = sourcetype
| rex field="search" "index\s*=\s*\"*(?<indexes_used>[^\s+]*)" max_match=0
| rex field="search" "sourcetype\=(?<sourcetype>[^\s+]+)" max_match=0
```| search indexes_used="main" OR sourcetype="test:api:txt"```
| eval Type="Saved Searches/Alerts/Reports"
| table Type search title eai:acl.app author eai:acl.sharing eai:acl.perms.read eai:acl.perms.write

The field where the actual search is is "search" not "qualifiedSearch"

r. Ismo

Hemnaath · ‎11-17-2020

hey thanks it worked in 7.29 version.

iparitosh · ‎05-16-2019

I don't have access to splunk right now but I can help with the algorithm-

Use ---> | rest splunk-rest-api-endpoint-for-savedsearches and |rest splunk-rest-api-endpoint-for-views commands to get details of all dashbaord and saved searches (reports and alerts) in a table format.
use fields command to narrow down the required fields which also include the search query
use regex commands to check for the use of index in the query.
use stats command to build a report of dashboards, reports and alerts by each index.

Hope it helps!

How to find all Dashboards, Reports and Alerts related to a specific index ?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)