Solved: Splunk Rest Query to see the definitions of all da...

splunkfriend123 · ‎06-24-2022

Hi Team,

We had couple of dashboards who created by ex-employees and existing team is unable to access them.

Even we dont have access to admin privileges to access .

Is there any rest query to fetch dashbaord name and along with the query ( code ) so that we can save them as new name and use it for reference.

Thank you,

SriCharan

marysan · ‎06-26-2022

you need eai:data field too :

| rest /servicesNS/-/-/data/ui/views
| rename eai:acl.app AS app
| rename eai:acl.perms.write as dashboard-write-permission
| rename eai:acl.perms.read as dashboard-read-permission
| rename eai:appName as appName
| rename eai:data AS data
| join type=outer appName
[| rest /servicesNS/-/-/apps/local
| rename title AS appName
| rename eai:acl.perms.read AS app-read-permission
| rename eai:acl.perms.write AS app-write-permission]
| table app label title dashboard-read-permission dashboard-read-permission app-write-permission app-read-permission data

View solution in original post

gcusello · ‎06-25-2022

Hi @splunkfriend123,

to have the list of all your dashboards you can use the search shared by @Roy_9.

To change the owner of these dashboard, it depends on the share level of them:

if they are private, you have to move them by CLI from the $SPLUNK_HOME/etc/users/<user_name>/apps/<your_app>/local folder into your username folder, or to copy them and use the code to create a new one.

If they are in an App, you have to modify $SPLUNK_HOME/etc/apps/<your_app>/metadata/meta.local the owner of your dashboards.

In both cases, you have to restart Splunk.

Ciao.

Giuseppe

Roy_9 · ‎06-25-2022

@splunkfriend123 try this

| rest /servicesNS/-/-/data/ui/views

| rename eai:acl.app AS app

| rename eai:acl.perms.write as dashboard-write-permission

| rename eai:acl.perms.read as dashboard-read-permission

| rename eai:appName as appName

| join type=outer appName

[| rest /servicesNS/-/-/apps/local

| rename title AS appName

| rename eai:acl.perms.read AS app-read-permission

| rename eai:acl.perms.write AS app-write-permission]

| table app label title dashboard-read-permission dashboard-read-permission app-write-permission app-read-permission

splunkfriend123 · ‎06-25-2022

Hi @Roy_9 :

Thanks a ton for your quick response.

The query you provided fetches dashboard name but not its definition.

Is there any way to modify this query to fetch the definition ( query used for creating dashboard ) ?

Many thanks in advance.

marysan · ‎06-26-2022

you need eai:data field too :

| rest /servicesNS/-/-/data/ui/views
| rename eai:acl.app AS app
| rename eai:acl.perms.write as dashboard-write-permission
| rename eai:acl.perms.read as dashboard-read-permission
| rename eai:appName as appName
| rename eai:data AS data
| join type=outer appName
[| rest /servicesNS/-/-/apps/local
| rename title AS appName
| rename eai:acl.perms.read AS app-read-permission
| rename eai:acl.perms.write AS app-write-permission]
| table app label title dashboard-read-permission dashboard-read-permission app-write-permission app-read-permission data

Splunk Rest Query to see the definitions of all dashboards ( public & private )

search job inspector

transaction

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms