Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search in Splunk if a specific lookup table...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search in Splunk if a specific lookup table is being used in a dashboard?
TaraAshley
Engager
10-04-2023
12:42 PM
Hello,
I was wondering if it is possible to locate or search in Splunk if a specific lookup table is being used in a dashboard, alert, saved search, report etc. Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TaraAshley
Engager
10-04-2023
02:33 PM
Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
10-04-2023
01:06 PM
Here are some SPL queries from a knowledge object definition term search dashboard I have in my environment. I've been thinking about putting it and some other admin centric dashboards I've created into an app and adding it to Splunkbase. Maybe I should get on that. Replace the {your_term} parts with your lookup.
Saved Search
| rest splunk_server=* /servicesNS/-/-/saved/searches add_orphan_field=yes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing, dispatch.* as *
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| where has_term="1"
| fields splunk_server, app, owner, sharing, disabled, is_scheduled, cron_schedule, earliest_time, latest_time, title, search
| sort splunk_server, title
Views
| rest splunk_server=* /servicesNS/-/-/data/ui/views
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(label,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, label, data
| sort splunk_server, title
Data Models
| rest splunk_server=* /servicesNS/-/-/data/models
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, data
| sort splunk_server, title
Fields
| rest splunk_server=* /services/data/props/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| eval type="props"
| search has_term=1
| append [
| rest splunk_server=* /services/data/transforms/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(REGEX,"{your_term}") OR match(SOURCE_KEY,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="transforms"
| fields splunk_server, app, owner, sharing, title, REGEX, SOURCE_KEY
]
| append [
| rest splunk_server=* /services/data/props/calcfields
| rename eai:acl.app as app, eai:acl.owner as owner, field.name as field_name, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(field_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="calcfields"
| fields splunk_server, app, owner, sharing, title, type, attribute, value, field_name
]
| append [
| rest splunk_server=* /services/data/props/fieldaliases
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="fieldalias"
| fields splunk_server, app, owner, sharing, title, type, attribute, value
]
| rename REGEX as regex, SOURCE_KEY as source_key
| fields splunk_server, app, owner, sharing, title, type, attribute, value, regex, source_key, field_name
Macros
| rest splunk_server=* /servicesNS/-/-/admin/macros
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(definition,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, definition
| sort splunk_server, title
Event Types
| rest splunk_server=* /servicesNS/-/-/saved/eventtypes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, search
| sort splunk_server, title
Tags
| rest splunk_server=* /servicesNS/-/-/admin/tags
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(field_name_value,"{your_term}") OR match(title,"{your_term}") OR match(tag_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, tag_name, field_name_value
| sort splunk_server, tag_name
Lookups
| rest splunk_server=* /services/data/transforms/lookups
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| append [
| rest splunk_server=* /servicesNS/-/-/data/lookup-table-files
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval filename=title
| eval type="file"
]
| eval filename=if(isnull(filename), title, filename)
| stats values(title) as title, values(fields_array) as fields_array by splunk_server, app, owner, sharing, filename, type
| eval filename=if(type!="file" AND type!="geo", "", filename)
| eval has_term=if(match(filename,"{your_term}") OR match(title,"{your_term}") OR match(fields_array,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, filename, title, fields_array, type
| sort splunk_server, filename
Get Updates on the Splunk Community!
Accelerating Observability as Code with the Splunk AI Assistant
We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Splunk is More Than Just the Web Console
For Digital Forensics and Incident Response (DFIR) practitioners, ...
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
