How to search in Splunk if a specific lookup table...

TaraAshley · ‎10-04-2023

Hello,

I was wondering if it is possible to locate or search in Splunk if a specific lookup table is being used in a dashboard, alert, saved search, report etc. Thank you for your help!

TaraAshley · ‎10-04-2023

Thank you very much!

fredclown · ‎10-04-2023

Here are some SPL queries from a knowledge object definition term search dashboard I have in my environment. I've been thinking about putting it and some other admin centric dashboards I've created into an app and adding it to Splunkbase. Maybe I should get on that. Replace the {your_term} parts with your lookup.

Saved Search

| rest splunk_server=* /servicesNS/-/-/saved/searches add_orphan_field=yes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing, dispatch.* as *
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| where has_term="1"
| fields splunk_server, app, owner, sharing, disabled, is_scheduled, cron_schedule, earliest_time, latest_time, title, search
| sort splunk_server, title

Views

| rest splunk_server=* /servicesNS/-/-/data/ui/views
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(label,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, label, data
| sort splunk_server, title

Data Models

| rest splunk_server=* /servicesNS/-/-/data/models
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, data
| sort splunk_server, title

Fields

| rest splunk_server=* /services/data/props/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| eval type="props"
| search has_term=1
| append [
	| rest splunk_server=* /services/data/transforms/extractions
	| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
	| eval has_term=if(match(title,"{your_term}") OR match(REGEX,"{your_term}") OR match(SOURCE_KEY,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
	| search has_term=1
	| eval type="transforms"
	| fields splunk_server, app, owner, sharing, title, REGEX, SOURCE_KEY
]
| append [
	| rest splunk_server=* /services/data/props/calcfields
	| rename eai:acl.app as app, eai:acl.owner as owner, field.name as field_name, eai:acl.sharing as sharing
	| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(field_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
	| search has_term=1
	| eval type="calcfields"
	| fields splunk_server, app, owner, sharing, title, type, attribute, value, field_name
]
| append [
	| rest splunk_server=* /services/data/props/fieldaliases
	| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
	| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
	| search has_term=1
	| eval type="fieldalias"
	| fields splunk_server, app, owner, sharing, title, type, attribute, value
]
| rename REGEX as regex, SOURCE_KEY as source_key
| fields splunk_server, app, owner, sharing, title, type, attribute, value, regex, source_key, field_name

Macros

| rest splunk_server=* /servicesNS/-/-/admin/macros
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(definition,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, definition
| sort splunk_server, title

Event Types

| rest splunk_server=* /servicesNS/-/-/saved/eventtypes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, search
| sort splunk_server, title

Tags

| rest splunk_server=* /servicesNS/-/-/admin/tags
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(field_name_value,"{your_term}") OR match(title,"{your_term}") OR match(tag_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, tag_name, field_name_value
| sort splunk_server, tag_name

Lookups

| rest splunk_server=* /services/data/transforms/lookups
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| append [
    | rest splunk_server=* /servicesNS/-/-/data/lookup-table-files
    | rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
    | eval filename=title
    | eval type="file"
]
| eval filename=if(isnull(filename), title, filename)
| stats values(title) as title, values(fields_array) as fields_array by splunk_server, app, owner, sharing, filename, type
| eval filename=if(type!="file" AND type!="geo", "", filename)
| eval has_term=if(match(filename,"{your_term}") OR match(title,"{your_term}") OR match(fields_array,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, filename, title, fields_array, type
| sort splunk_server, filename

How to search in Splunk if a specific lookup table is being used in a dashboard?

lookup

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...