All Apps and Add-ons

How to get a list of Schedules searches , reports , alerts , dashboards that use DBX query from my search head?

Harishma
Communicator

Im trying to get a list of all the existing Schedules searches , reports , alerts , dashboards that use dbquery in my SH along with the owner and its app details. Is this possible ? Could someone kindly help?

somesoni2
Revered Legend

You can use following searches to get that info.
Saved searches (reports/alerts)

| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]

Dashboards

| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app  eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"dbquery") OR match(code,"dbinfo") OR match(code,"dboutput") | join type=left  owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]

From each search, you can remove the join subsearch if you don't really need to fullname /email etc, will perform better.

akocak
Contributor

I saw similar in other answers

| rest splunk_server=local /servicesNS/-/-/data/ui/views

as well as

rest  /services/saved/searches  

I am having issues to return results from these and I am an admin. Do you know what could be my issue?
Are there anyway to combine audittrail logs with some other internal log to get the same results ?

0 Karma

somesoni2
Revered Legend

Hope you're running this exact search: (need that first pipe)

|  rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput")
0 Karma

akocak
Contributor

did you find anything for this ? I have a similar requirement.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...