Dashboards & Visualizations

Export Dashboard XML as CSV for Version Control

daniel_rico
Explorer

I have a relatively simple use case but I'm having trouble getting it done. I would like to export the label, description, title and query of each dashboard within my app.

I've gotten as far as this (please don't base your answer on what I have so far unless it's going down the right path 🙂 )

| rest /servicesNS/-/-/data/ui/views 
| search isDashboard=1 eai:acl.app=$APPNAME$ 
| rex max_match=0 field=eai:data "\<description\>(?<DESCRIPTION>.*?)(?:\<\/description\>*?)" 
| rex max_match=0 field=eai:data "\<label\>(?<DB_GROUP>.*?)(?:\<\/label\>*?)" 
| rex max_match=0 field=eai:data "\<title\>(?<DB_NAME>.*?)(?:\<\/title\>*?)"
| rex max_match=0 field=eai:data "\<query\>(?<QUERY>.*?)(?:\<\/query\>*?)" 
| mvexpand DB_NAME
| mvexpand QUERY
| table DB_GROUP DB_NAME DESCRIPTION QUERY eai:acl.app
| dedup QUERY

I'm completely aware that the regex is probably not optimized/etc. and I'll fix that later on.

The primary issue is that the query is going to be a multivalue field, as well as the title. The two mvexpand() commands causing a little dilemma as I'm never "recombining" those values into one field that I can re-extract. This leads to an issue where the table values aren't a 1:1 match.

I was thinking that mvindex() may be the solution but I'm not entirely sure how I'd implement it. Again, spitting in the dark here so any help is much appreciated.

0 Karma
1 Solution

niketn
Legend

@daniel.rico@firstdata.com, as far as your rex is working fine, DB_NAME and QUERY should be multi-value field as Dashboard will have only one description and label.

You can use mvzip() to map multi-valued 1:1. PS: I have used <> as the delimiter since query field is ideally not expected to have < or >, which are escaped as &lt; and &gt; respectively. Then you can use mvexpand command on the new stitched multi-valued field. The split() and mvindex() functions are used to bring back title and query from each panel.

<YourBaseSearch>
| eval DashboardMeta=mvzip(DB_NAME,QUERY,"<>")
| mvexpand DashboardMeta
| eval DashboardMeta=split(DashboardMeta,"<>")
| eval DB_NAME=mvindex(DashboardMeta,0)
| eval QUERY=mvindex(DashboardMeta,1)
| table DESCRIPTION DB_GROUP DB_NAME QUERY

PS: mvzip expects 1 to 1 fields present in both multi-valued fields being stitched. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@daniel.rico@firstdata.com, as far as your rex is working fine, DB_NAME and QUERY should be multi-value field as Dashboard will have only one description and label.

You can use mvzip() to map multi-valued 1:1. PS: I have used <> as the delimiter since query field is ideally not expected to have < or >, which are escaped as &lt; and &gt; respectively. Then you can use mvexpand command on the new stitched multi-valued field. The split() and mvindex() functions are used to bring back title and query from each panel.

<YourBaseSearch>
| eval DashboardMeta=mvzip(DB_NAME,QUERY,"<>")
| mvexpand DashboardMeta
| eval DashboardMeta=split(DashboardMeta,"<>")
| eval DB_NAME=mvindex(DashboardMeta,0)
| eval QUERY=mvindex(DashboardMeta,1)
| table DESCRIPTION DB_GROUP DB_NAME QUERY

PS: mvzip expects 1 to 1 fields present in both multi-valued fields being stitched. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

daniel_rico
Explorer

Appears to work - I have to do some further testing but this seems like what I need - I didn't think of trying that delim out - Awesome!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...