Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search in Splunk if a specific lookup table...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search in Splunk if a specific lookup table is being used in a dashboard?
TaraAshley
Engager
10-04-2023
12:42 PM
Hello,
I was wondering if it is possible to locate or search in Splunk if a specific lookup table is being used in a dashboard, alert, saved search, report etc. Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TaraAshley
Engager
10-04-2023
02:33 PM
Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
10-04-2023
01:06 PM
Here are some SPL queries from a knowledge object definition term search dashboard I have in my environment. I've been thinking about putting it and some other admin centric dashboards I've created into an app and adding it to Splunkbase. Maybe I should get on that. Replace the {your_term} parts with your lookup.
Saved Search
| rest splunk_server=* /servicesNS/-/-/saved/searches add_orphan_field=yes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing, dispatch.* as *
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| where has_term="1"
| fields splunk_server, app, owner, sharing, disabled, is_scheduled, cron_schedule, earliest_time, latest_time, title, search
| sort splunk_server, title
Views
| rest splunk_server=* /servicesNS/-/-/data/ui/views
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(label,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, label, data
| sort splunk_server, title
Data Models
| rest splunk_server=* /servicesNS/-/-/data/models
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, data
| sort splunk_server, title
Fields
| rest splunk_server=* /services/data/props/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| eval type="props"
| search has_term=1
| append [
| rest splunk_server=* /services/data/transforms/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(REGEX,"{your_term}") OR match(SOURCE_KEY,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="transforms"
| fields splunk_server, app, owner, sharing, title, REGEX, SOURCE_KEY
]
| append [
| rest splunk_server=* /services/data/props/calcfields
| rename eai:acl.app as app, eai:acl.owner as owner, field.name as field_name, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(field_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="calcfields"
| fields splunk_server, app, owner, sharing, title, type, attribute, value, field_name
]
| append [
| rest splunk_server=* /services/data/props/fieldaliases
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="fieldalias"
| fields splunk_server, app, owner, sharing, title, type, attribute, value
]
| rename REGEX as regex, SOURCE_KEY as source_key
| fields splunk_server, app, owner, sharing, title, type, attribute, value, regex, source_key, field_name
Macros
| rest splunk_server=* /servicesNS/-/-/admin/macros
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(definition,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, definition
| sort splunk_server, title
Event Types
| rest splunk_server=* /servicesNS/-/-/saved/eventtypes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, search
| sort splunk_server, title
Tags
| rest splunk_server=* /servicesNS/-/-/admin/tags
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(field_name_value,"{your_term}") OR match(title,"{your_term}") OR match(tag_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, tag_name, field_name_value
| sort splunk_server, tag_name
Lookups
| rest splunk_server=* /services/data/transforms/lookups
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| append [
| rest splunk_server=* /servicesNS/-/-/data/lookup-table-files
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval filename=title
| eval type="file"
]
| eval filename=if(isnull(filename), title, filename)
| stats values(title) as title, values(fields_array) as fields_array by splunk_server, app, owner, sharing, filename, type
| eval filename=if(type!="file" AND type!="geo", "", filename)
| eval has_term=if(match(filename,"{your_term}") OR match(title,"{your_term}") OR match(fields_array,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, filename, title, fields_array, type
| sort splunk_server, filename
Get Updates on the Splunk Community!
Buttercup Games Tutorial Extension - part 9
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games Tutorial Extension - part 8
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Introducing the Splunk Developer Program!
Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
