Splunk Search

List All Lookups in An App?

andrewkenth
Communicator

Is there a way to list all of the lookups in a given app (w/o using Sideview utils)?

Or, how can I use sideview lookup updateer but run it in a non sideview app? If I try to run it in a different app I receive the error "Unknown search command 'splunkentity'. ". Is there a way I can extend the 'splunkentity' command to another app?

Tags (2)
1 Solution

somesoni2
Revered Legend

"splunkentity" is a custom command defined in sideview util app, scope of which is by default limited to that app only. To use this command outside sideview app, simply change the sharing permission of this custom search command to "All apps".

Manager » Advanced search » Search commands >> Sharing >> All Apps.

View solution in original post

sideview
SplunkTrust
SplunkTrust

You can export two little things in Sideview Utils so that they are shared with all apps, and then the Lookup Updater will appear as a view in all apps.

1) From the Sideview Utils homepage, go to Settings > Advanced Search > Search commands. (If you're in 5.X or earlier it's Manager instead of settings). Scroll down until you find the "splunk_entity" entry in the table. Click the "permissions" link and on the resulting page change "Object should appear in" from "this app only" to "all apps". Submit the form.

2) again from the Sideview Utils homepage, go to Settings > User Interface > Views and find the "update_lookup" entry there. You'll have to page to the last page because there are a ton of docs views and hidden testcase views. Click the "Permissions" link on "update_lookup" and do the same thing - set it to appear in all apps. Submit the form.

After that point you can go to the Lookup Updater from all apps by going to "/apps/YOUR_APP/update_lookup", and depending on how that app sets up its app navigation menu, it may automatically appear in the menu somewhere.

somesoni2
Revered Legend

"splunkentity" is a custom command defined in sideview util app, scope of which is by default limited to that app only. To use this command outside sideview app, simply change the sharing permission of this custom search command to "All apps".

Manager » Advanced search » Search commands >> Sharing >> All Apps.

sideview
SplunkTrust
SplunkTrust

by the way this is true of lots of things in Sideview Utils. We try to ship nothing that will be visible outside the app, or that will have any effect outside the app, however most things can be exported to the system level and they'll still work. For the search views and the Lookup Updater and the Search Exploder - if you want to use these things in your app the easiest way is to just change the sharing under "permissions".

0 Karma

andrewkenth
Communicator

It would be much easier for me to run an sideview in an app is this possible? How can I use sideview lookup updateer but run it in a non sideview app? If I try to run it in a different app I receive the error "Unknown search command 'splunkentity'. ". Is there a way I can extend the 'splunkentity' command to another app?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Give this a shot for listing the lookups in an app:

| rest /servicesNS/-/sos/data/props/lookups

Just replace sos with your app.

sideview
SplunkTrust
SplunkTrust

splunkentity is a bit more for everyday use cause it'll give you whatever the current user can see for the given entity path. the rest command is a great admin tool for poking around and deconstructing the layered config system but at the end of the day it's hard to use for simple things like "give me all saved searches", because it forces you think about namespaces and owners.

nicolasydder
Explorer

Hi folks,

This command is working for me but it isn't listing lookup linked to a collection (kvstore)...
Do you know why ?

I want to list all collection according to lookups.

BR

NicolasY.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Yeah, the first part after servicesNS is for the user context - the dash just means "visible for everyone". You might also run this instead:

| rest /servicesNS/admin/sos/data/props/lookups

Then you'll see things visible for the user admin in the app sos. I've just run it again on 6.0.1, and it works as documented here: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTknowledge#data.2Fprops.2Flookups

0 Karma

andrewkenth
Communicator

I am using 6.0, this does not seem to work for me. Did you mean to put an /-/ in there?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...