I like this question because the answer can help in cleaning up old knowledge objects in an installation.
Using the rest commands we can get all the information needed to answer the question.
This search will pull all the dashboard names and their source.
|rest /servicesNS/-/-/data/ui/views | rename eai:* as * |rename acl.* as * | search isVisible=1 | fields title data
This search will pull all the saved search names and their queries
| rest /servicesNS/-/-/saved/searches/ | search is_scheduled=1 | dedup title | fields title
Now that we have that information needed lets figure out how to answer the question...
I thought about using a wildcarded lookups (exporting the search names and then performing a wildcarded lookup in the data field), but I wanted something that didnt require me to modify any props/transforms files and also worked with a single query.
Also thought about using rex to extract all of the possible ways a saved search can be referenced in a dashboards and then some other splunk foo to get the final report but I figured not to go that route.
Here is what I came up with. Its not pretty but at first glance it seems to be working. You end up wih a count of how many times each saved search is referenced in all of the dashboards. It basically uses a sub-search that gets a list of all the saved search names and formats them into a stats string which is doing a conditional like count on the data field for each of the saved search names. Fair warning that this is basically just doing a search for the saved search name and doesn't check to see if its part of module thats calling a saved search. Meaning if you have a saved search called "ERROR" you might get some false positives in the count as any occurrence of the string ERROR will be included in the count.
|rest /servicesNS/-/-/data/ui/views splunk_server=local | rename eai:* as * |rename acl.* as * | search isVisible=1| fields title data | stats [| rest /servicesNS/-/-/saved/searches/ splunk_server=local | search is_scheduled=1 | dedup title | fields title | eval savedSearch="count(eval(like(data,\"%".title."%\"))) AS \"".title."\"" | stats values(savedSearch) AS savedSearch | nomv savedSearch| return $savedSearch] | transpose | rename column AS savedSearchName "row 1" AS countOfTimesFoundInDashboards
Would love to hear how other people might have tackled this in hopefully a much simpler way.
... View more