Solved: Is there a way to tell if a "specific" lookup file...

owie6466 · ‎08-23-2019

found the answer to getting all lookup files in use on a dashboard, report or alert. Looking for a way to tell if one specific lookup file is being used.

thank you,

solarboyz1 · ‎08-23-2019

You can use the rest endpoint to search all saved searches for any that contain a reference the specified lookup:

| rest /servicesNS/-/-/saved/searches splunk_server=local  | search qualifiedSearch=*lookupname*

View solution in original post

solarboyz1 · ‎08-23-2019

You can use the rest endpoint to search all saved searches for any that contain a reference the specified lookup:

| rest /servicesNS/-/-/saved/searches splunk_server=local  | search qualifiedSearch=*lookupname*

owie6466 · ‎08-23-2019

thank you so much! this did the trick!

owie6466 · ‎08-23-2019

is there a way to also include the app? say all reports/dashboards/datasets that are owned by a specific app?

thank you!

solarboyz1 · ‎08-26-2019

| search qualifiedSearch=lookupname eai:acl.app=$YOUR_APP$

Is there a way to tell if a "specific" lookup file is in use on a dashboard, report, or alert without manually checking each of these searches?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform