Splunk Search

Is there a way to tell if a "specific" lookup file is in use on a dashboard, report, or alert without manually checking each of these searches?

owie6466
Explorer

found the answer to getting all lookup files in use on a dashboard, report or alert. Looking for a way to tell if one specific lookup file is being used.

thank you,

1 Solution

solarboyz1
Builder

You can use the rest endpoint to search all saved searches for any that contain a reference the specified lookup:

| rest /servicesNS/-/-/saved/searches splunk_server=local  | search qualifiedSearch=*lookupname*

View solution in original post

solarboyz1
Builder

You can use the rest endpoint to search all saved searches for any that contain a reference the specified lookup:

| rest /servicesNS/-/-/saved/searches splunk_server=local  | search qualifiedSearch=*lookupname*

owie6466
Explorer

thank you so much! this did the trick!

0 Karma

owie6466
Explorer

is there a way to also include the app? say all reports/dashboards/datasets that are owned by a specific app?

thank you!

0 Karma

solarboyz1
Builder

| search qualifiedSearch=lookupname eai:acl.app=$YOUR_APP$

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...