Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using index/sourcetype ? How to get the details about the dashboards/alerts/Reports/data models in splunk ?

Hemnaath
Motivator
‎11-09-2020 09:32 PM

Hi All,

We are  performing  an impact analysis on the application data which are already getting ingested into splunk, as in future the same application data will be ingested from bolt application, so that when Bolt application is fully functional we can identify and correct if something is going wrong.

In-order to do that analysis, as a first step we wanted to know about the server details, log format and list the dashboards/alerts/savedsearches configured to this application which are already getting ingested into splunk.

We  got the index and sourcetype details from the respective application owners and using this we need to fetch the server details/dashboards/alerts/data models/saved searches

So is there any search query / Splunk REST API query which can be used to fetch these details from the splunk console. 

 

Tags (1)
0 Karma
Reply

Hemnaath
Motivator
‎11-11-2020 06:16 PM

Hey thambisetty, thanks for sharing the inputs, but I had actually used this below link to fetch the required details. I hope this is useful for others when they come across the same situation. 

https://community.splunk.com/t5/Archive/How-to-find-all-Dashboards-Reports-and-Alerts-related-to-a/t...  

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-09-2020 10:32 PM

you need to match your input sourcetype/index with search field available in below rest to find saved searches( reports/alerts).

| rest splunk_server=local count=0 /services/saved/searches

I think identifying given sourcetype/index in dashboard is little bit difficult because dashboard will have multiple searches ( panels ). I am not sure if there is a rest query for that.

coming to datamodel: datamodel uses macro, so you need to have subsearch to get macro definitions for all of your datamodels: below search will give you source,sourcetype,index used in datamodel.

 

 

| rest /services/datamodel/acceleration | table title | rename title as datamodel
| eval datamodel="cim_".datamodel."_indexes"
| join type=left datamodel [| rest /servicesNS/-/-/admin/macros splunk_server=local  | table definition,title | rename title as datamodel]
| rex field=definition "index\=[\"]?(?<index_dm>[^\s|\"]+)" max_match=0
| rex field=definition "source\=[\"]?(?<source_dm>[^\s|\"]+)" max_match=0
| rex field=definition "sourcetype\=[\"]?(?<sourcetype_dm>[^\s|\"|\)]+)" max_match=0

 

 

 

————————————
If this helps, give a like below.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...