Splunk Search

Is there a way to tell if a lookup file is in use on a dashboard, report, or alert without manually checking each of these searches?

pepper_seattle
Path Finder

I employ a fair number of lookup files across my app which is heavily populated with dashboards and reports.

Question:
Is there a way to tell if a lookup file is in use on a dashboard, report, or alert without manually checking each of these areas/queries?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi pepper_seattle,

This is hard to tell, because what if your lookup is setup as automatic lookup on a sourcetype? Then you would have to check all searches and see if they use the lookup by searching for events for this sourcetype. For example, of these searches which one makes use of a user-to-location lookup on sourcetype=bar?

sourcetype=b* | table *
sourcetype=foo | stats count by location
index=baz | stats count by location
  • Search 1 may return events matching the stanza, but there's no indication that it returns the location field
  • Search 2 obviously uses the location field but can't return events matching the sourcetype
  • Search 3 may or may not even have matching events in that index

One other thing would be if all search uses inputlookup or lookup which will be much easier to tell by looking at the searches.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi pepper_seattle,

This is hard to tell, because what if your lookup is setup as automatic lookup on a sourcetype? Then you would have to check all searches and see if they use the lookup by searching for events for this sourcetype. For example, of these searches which one makes use of a user-to-location lookup on sourcetype=bar?

sourcetype=b* | table *
sourcetype=foo | stats count by location
index=baz | stats count by location
  • Search 1 may return events matching the stanza, but there's no indication that it returns the location field
  • Search 2 obviously uses the location field but can't return events matching the sourcetype
  • Search 3 may or may not even have matching events in that index

One other thing would be if all search uses inputlookup or lookup which will be much easier to tell by looking at the searches.

Hope this helps ...

cheers, MuS

0 Karma

pepper_seattle
Path Finder

Mainly looking to see any saved query (in a dashboard, alert, or report) that would include "..| lookup .."

Does that make it simpler?

0 Karma

MuS
SplunkTrust
SplunkTrust

Much simpler 😉 try this search in your Splunk App:

 | rest /services/saved/searches | search qualifiedSearch=*lookup* | table title

This will list all saved searches which contain lookup. Run this command to get back all dashboards containing lookup:

| rest /servicesNS/-/-/data/ui/views | search eai:data=*lookup* | table title

Hope this helps ...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...