I have multiple apps on shcluster, "/application/splunk/etc/shcluster/apps" . I need to check if there are any Knowledge objects related to these apps, that is to say if these apps are actually requred or not. Is there a way i can get the details of all the Knowledge objects related to an application. Any Shell script which gives me this information ?
You can use rest commands to know what apps those knowledge objects are associated.
There's alot of rest commands in this link https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTlist ,depends on what you need.
For example:
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTknowledge
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTsearch
This is more of theory , I m going through them ... actually i am looking for some script which pulls up these information and gives me a report for all the related knowledge objects for an application .
When you run those rest command in splunk search it will give you the information you needed for the knowledge objects for example (you can run in MC):
| rest "/servicesNS/-/-/admin/savedsearch/" search="is_scheduled=1" search="disabled=0" splunk_server=sh*
[| makeresults
| eval earliest_time=relative_time(now(), "-0s@s"), latest_time=relative_time(now(), "+15m@s")
| return earliest_time, latest_time ]
| table splunk_server eai:acl.app eai:acl.owner cron_schedule title scheduled_times
I tried the above but did not get any results. I searched it on the indexer serach head. Where do i need to search this query.
it is just a sample , you can run it in any of the shc member or to the MC. you should be an admin or have the right privilege to get the result.
| rest "/servicesNS/-/-/admin/savedsearch/" splunk_server="*"
Thanks a lot jarizeloyola. I m bit confused, whats the index for the above . Or do i need to run it with Curl. If possible can u pls give me the complete command or the way i can run the above search , as the above given search does not run give anything . Thanks