Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using index/sourcetype ? How to get the details about the dashboards/alerts/Reports/data models in splunk ?

Hemnaath
Motivator
‎11-09-2020 09:32 PM

Hi All,

We are  performing  an impact analysis on the application data which are already getting ingested into splunk, as in future the same application data will be ingested from bolt application, so that when Bolt application is fully functional we can identify and correct if something is going wrong.

In-order to do that analysis, as a first step we wanted to know about the server details, log format and list the dashboards/alerts/savedsearches configured to this application which are already getting ingested into splunk.

We  got the index and sourcetype details from the respective application owners and using this we need to fetch the server details/dashboards/alerts/data models/saved searches

So is there any search query / Splunk REST API query which can be used to fetch these details from the splunk console. 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Hemnaath
Motivator
‎11-11-2020 06:16 PM

Hey thambisetty, thanks for sharing the inputs, but I had actually used this below link to fetch the required details. I hope this is useful for others when they come across the same situation. 

https://community.splunk.com/t5/Archive/How-to-find-all-Dashboards-Reports-and-Alerts-related-to-a/t...  

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-09-2020 10:32 PM

you need to match your input sourcetype/index with search field available in below rest to find saved searches( reports/alerts).

| rest splunk_server=local count=0 /services/saved/searches

I think identifying given sourcetype/index in dashboard is little bit difficult because dashboard will have multiple searches ( panels ). I am not sure if there is a rest query for that.

coming to datamodel: datamodel uses macro, so you need to have subsearch to get macro definitions for all of your datamodels: below search will give you source,sourcetype,index used in datamodel.

 

 

| rest /services/datamodel/acceleration | table title | rename title as datamodel
| eval datamodel="cim_".datamodel."_indexes"
| join type=left datamodel [| rest /servicesNS/-/-/admin/macros splunk_server=local  | table definition,title | rename title as datamodel]
| rex field=definition "index\=[\"]?(?<index_dm>[^\s|\"]+)" max_match=0
| rex field=definition "source\=[\"]?(?<source_dm>[^\s|\"]+)" max_match=0
| rex field=definition "sourcetype\=[\"]?(?<sourcetype_dm>[^\s|\"|\)]+)" max_match=0

 

 

 

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...