All Apps and Add-ons

How to get a list of Schedules searches , reports , alerts , dashboards that use DBX query from my search head?

Harishma
Communicator

Im trying to get a list of all the existing Schedules searches , reports , alerts , dashboards that use dbquery in my SH along with the owner and its app details. Is this possible ? Could someone kindly help?

somesoni2
SplunkTrust
SplunkTrust

You can use following searches to get that info.
Saved searches (reports/alerts)

| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]

Dashboards

| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app  eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"dbquery") OR match(code,"dbinfo") OR match(code,"dboutput") | join type=left  owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]

From each search, you can remove the join subsearch if you don't really need to fullname /email etc, will perform better.

akocak
Contributor

I saw similar in other answers

| rest splunk_server=local /servicesNS/-/-/data/ui/views

as well as

rest  /services/saved/searches  

I am having issues to return results from these and I am an admin. Do you know what could be my issue?
Are there anyway to combine audittrail logs with some other internal log to get the same results ?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Hope you're running this exact search: (need that first pipe)

|  rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput")
0 Karma

akocak
Contributor

did you find anything for this ? I have a similar requirement.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...