I recently started working at a new firm to monitor and manage Splunk for them. The issue I'm encountering is that I want to have a thorough understanding of their deployment, so I'm trying to see where some of their DBX inputs are being used. To avoid confusion as to what I'm trying to do, let me give an example. Let's say I have an input in DB Connect (we'll call it Input_A); The data ingested via Input_A is used by an unknown number of Alerts, an unknown number of dashboards and an unkown number of reports. Is there some way that I can find out how many alerts/dashboards/reports etc. use the data originating from Input_A as well as the names of those alerts/dashboards/reports etc. ? I'm still relatively inexperienced, so perhaps my question will have a simple solution that I'm just not seeing (I'm hoping that the solution is more efficient that looking at the hundreds of alerts/dashobards/reports we have one by one)
That's not an easy thing to do. The DBX inputs should have a sourcetype assigned to them so you may be able to match the sourcetype(s) to the KOs that use them. That's easier said than done, however, because the reference to the sourcetype could be an explicit sourcetype=foo or it could be in a macro or an eventtype or a datamodel. And then there will be those KOs that don't use a sourcetype at all.
--- If this reply helps you, an upvote would be appreciated.