Getting Data In

How to find the list of indexes and source types in specific app?

gokikrishnan198
New Member

I have a different kind of access called ELEVATED ACCESS in splunk enterprise which is below the POWER USER but higher than the USER, with different apps installed. I have only one app in that. Is there a way to identify the list of available indexes and source types that is used in my app?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

If you have access only to indexes under one app, then you can try

|tstats count by sourcetype where index=* |fields - count

If you need to list down app name as well, then probably need to use rest calls,for eg:

    | rest /servicesNS/-/-/data/indexes  | table title eai:acl.app

This might need additional permissions!

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

If you have access only to indexes under one app, then you can try

|tstats count by sourcetype where index=* |fields - count

If you need to list down app name as well, then probably need to use rest calls,for eg:

    | rest /servicesNS/-/-/data/indexes  | table title eai:acl.app

This might need additional permissions!

Happy Splunking!

gokikrishnan198
New Member

I am able to get the few indexes from the code '|tstats count by sourcetype where index=* |fields - count' you gave. But I am unable to get the source types for the corresponding indexes. Can you help me on that part?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@gokikrishnan1982, if you just want all indexes and sourcetypes, try

|tstats count by index,sourcetype|fields - count
Happy Splunking!
0 Karma

gokikrishnan198
New Member

Thank you. It worked.

0 Karma

adonio
Ultra Champion

what do you mean by "used by the app"? do you mean configured under this app e.g. props.conf and indexes.conf and maybe other files are in that app directory? or you refer to what knowledge objects / searches are in this app?
if it is ab RBAC question, an app has no "roles" access to indexes or apps or knowledge objects can be defined per role

0 Karma

gokikrishnan198
New Member

Our Client uses splunk. All the teams have their own app available in it. We are one of the team as well. In this situation, I could like to know the steps to identify the INDEX and SOURCETYPE?

0 Karma

gokikrishnan198
New Member

Can anybody help me on this?

0 Karma

adonio
Ultra Champion

@gokikrishnan1982,
sorry but i still not sure what exactly you are looking for.
what is the problem you are trying to solve?
if you are trying to figure out which sourcetypes and indexes are being used by an app, you first have to check the searches / knowledge objects that are under that app and see what sourcetypes and indexes they are running against.
please provide more context and detail so we can better assist you
also, see answer by @renjith.nair, maybe this is what you are looking for

0 Karma

gokikrishnan198
New Member

I am given an app to work within SPLUNK.
I have neither Power User nor ** User role*. Rather I have **Elevated User* role.
I would like to know the DataSummary from where the data is getting pulled.
I would like to know the list of available Indexes and SourceTypes that are used in my app.
Do we have any query to search that information? Please assist me on the same.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...