Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sourcetypes - list of where they're being used?

sheltomt
Path Finder
‎01-15-2018 07:52 AM

We're migrating from a stand-alone production instance to a clustered environment. As such, we're moving applications over one at a time and testing as we go.

We've come across an app that apparently supports numerous other apps, through field extractions, shared sourcetypes, etc.

We're looking for ways to audit our sourcetypes, and figure out where all they're being used.

Has anyone done this before?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-15-2018 10:48 AM

We do this kind of analysis typically in the case where we're renaming or retiring a sourcetype. We look for saved object where the sourcetype is used, e.g. saved searches (alerts, reports), dashboards, macros, eventtypes etc. Here are the queries that you can use to see if your sourcetype is used in different KOs (knowledge objects) in Splunk.

Query1 (macros)

| rest splunk_server=local /servicesNS/-/-/properties/macros | table id eai:acl.owner | rename eai:acl.owner  as owner | fillnull value="-"  owner | map maxsearches=10000 search="| rest splunk_server=local $id$/definition | eval id=\"$id$\" | eval owner=\"$owner$\"" | where match(value,"YourSourceTypeHere\:") | table id | rex field=id ".+\/(?<search>.+)$" | table search | eval search="search=*\"`".search."`\"*"

Query2 (eventtypes)

| rest /servicesNS/-/-/saved/eventtypes splunk_server=local | search search="*YourSourceTypeHere*"| table title | eval search="search=\"*eventtype*=*".title."*\"" | table search

Query3 (Saved searches)

| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"YourSourceTypeHere")

Query4 (Dashboards/Forms)

| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app  eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"YourSourceTypeHere")

Now, there may be people who use the sourcetype in ad-hoc queries (not saved). You can query audit logs to query those. Note that audit logs are limited by retention period on _audit index and may not have all historical data. Also below query gives result only for adhoc searches where sourcetype is referred directly. If sourcetype is used in a macro or eventtype, it won't show here. Adjust the search=... clause accordingly to find those usage.

index=_audit action=search (search="*sourcetype*=*YourSourceTypeHere:*")  user!="splunk-system-user" | timechart span=1d count as "#Searches" dc(user) as "#Users"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-15-2018 10:48 AM

We do this kind of analysis typically in the case where we're renaming or retiring a sourcetype. We look for saved object where the sourcetype is used, e.g. saved searches (alerts, reports), dashboards, macros, eventtypes etc. Here are the queries that you can use to see if your sourcetype is used in different KOs (knowledge objects) in Splunk.

Query1 (macros)

| rest splunk_server=local /servicesNS/-/-/properties/macros | table id eai:acl.owner | rename eai:acl.owner  as owner | fillnull value="-"  owner | map maxsearches=10000 search="| rest splunk_server=local $id$/definition | eval id=\"$id$\" | eval owner=\"$owner$\"" | where match(value,"YourSourceTypeHere\:") | table id | rex field=id ".+\/(?<search>.+)$" | table search | eval search="search=*\"`".search."`\"*"

Query2 (eventtypes)

| rest /servicesNS/-/-/saved/eventtypes splunk_server=local | search search="*YourSourceTypeHere*"| table title | eval search="search=\"*eventtype*=*".title."*\"" | table search

Query3 (Saved searches)

| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"YourSourceTypeHere")

Query4 (Dashboards/Forms)

| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app  eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"YourSourceTypeHere")

Now, there may be people who use the sourcetype in ad-hoc queries (not saved). You can query audit logs to query those. Note that audit logs are limited by retention period on _audit index and may not have all historical data. Also below query gives result only for adhoc searches where sourcetype is referred directly. If sourcetype is used in a macro or eventtype, it won't show here. Adjust the search=... clause accordingly to find those usage.

index=_audit action=search (search="*sourcetype*=*YourSourceTypeHere:*")  user!="splunk-system-user" | timechart span=1d count as "#Searches" dc(user) as "#Users"
Reply
Solved! Jump to solution

jlarsonq
Explorer
‎01-08-2020 12:06 PM

For the first query for the Macros I had to add a rex command to get it to work | rest splunk_server=local /servicesNS/-/-/properties/macros | table id eai:acl.owner | rename eai:acl.owner as owner | fillnull value="-" owner | rex field=id mode=sed "s/https:\/\/127\.0\.0\.1:8089//" | map maxsearches=10000 search="| rest splunk_server=local $id$/definition | eval id=\"$id$\" | eval owner=\"$owner$\"" | where match(value,"YourSourceTypeHere*") | table id | rex field=id ".+\/(?<search>.+)$" | table search | eval search="search=*\"".search."\"*"

0 Karma
Reply
Solved! Jump to solution

sheltomt1
Explorer
‎01-17-2018 08:43 AM

Thank you! This is the info I was looking for!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-15-2018 11:35 AM

This is a really good overview. Thanks @somesoni2

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-15-2018 08:23 AM

Check out Settings > Fields > Field Extractions. You can enter your sourcetype in the search and it will bring back all fields to that sourcetype.

You could also run this search.. 

index=_* sourcetype=splunkd 
| stats count values(user) AS user values(action) AS app by series 
| rename series AS sourcetype
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...