All Apps and Add-ons

How can I get a complete inventory / dependency tree of a given App?

uberjay2
New Member

Is there a way to take a given dashboard or report or both and trace back to all of its dependencies?

It would be great if it was a scripted method, but if there's an interactive way to do this that'd be fine.

Basically, there are some changes planned and we want to take an inventory of a given app's data, indices, reports, dashboards, etc. from two vantage points: a) to simply have a record/backup of these assets; and b) to understand what has been built within an app - for which there have been many hands involved over time building.

Thanks in advance for any help!

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

There is no complete way of doing this, but it'd be a nice feature to have.

Manually, you'd take a dashboard and list all its scripts, CSS files, permissions, and searches.
Then you'd take a search, and list its indexes (including wildcards, implicit settings by role-based permissions), sourcetypes, fields, lookups, macros, etc. across all apps in its namespace (= private by user + shared in this app + imported from other apps + exported globally by other apps + system).

Getting that right and complete is nigh-on impossible. For example, take a simple search: status=200 | stats count
That loads data from all indexes the current user's roles are set to search by default. Depending on your environment, that alone might be a tough question to answer.
Then, it uses all status fields from all sourcetypes. Those could be index-time (check on all indexers and cooking heavy forwarders for their definition), auto-key-value, regex EXTRACT-foo or REPORT-foo, calculated, aliased, or autolookup'd - as visible in the current user's namespace, so for example a field alias private to that user could change the results significantly, or not having read permissions for a TA that globally extracts the status field for some sourcetype.

To a degree, the Knowledge Object Explorer can help - enter status=200 into the Explore page and you'll get a tree of aliases, calculated fields, and reverse lookups across the selected namespace. It won't answer all questions though.
https://splunkbase.splunk.com/app/2871/

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

There is no complete way of doing this, but it'd be a nice feature to have.

Manually, you'd take a dashboard and list all its scripts, CSS files, permissions, and searches.
Then you'd take a search, and list its indexes (including wildcards, implicit settings by role-based permissions), sourcetypes, fields, lookups, macros, etc. across all apps in its namespace (= private by user + shared in this app + imported from other apps + exported globally by other apps + system).

Getting that right and complete is nigh-on impossible. For example, take a simple search: status=200 | stats count
That loads data from all indexes the current user's roles are set to search by default. Depending on your environment, that alone might be a tough question to answer.
Then, it uses all status fields from all sourcetypes. Those could be index-time (check on all indexers and cooking heavy forwarders for their definition), auto-key-value, regex EXTRACT-foo or REPORT-foo, calculated, aliased, or autolookup'd - as visible in the current user's namespace, so for example a field alias private to that user could change the results significantly, or not having read permissions for a TA that globally extracts the status field for some sourcetype.

To a degree, the Knowledge Object Explorer can help - enter status=200 into the Explore page and you'll get a tree of aliases, calculated fields, and reverse lookups across the selected namespace. It won't answer all questions though.
https://splunkbase.splunk.com/app/2871/

uberjay2
New Member

Thanks Martin. Good to know that I didn't just happen to miss a feature that might have existed. I'll check into that Knowledge Object Explorer and see how far I get with that.

0 Karma

niketn
Legend

To add to @martin_mueller 's answer you can use Splunk REST API to fetch your Dashboard Simple XML code

| rest /servicesNS/<YourUserName>/<YourAppName>/data/ui/views/
| search eai:appName="<YourAppName>" AND author="<YourUserName>" isDashboard=1
| table title label author eai:appName eai:data updated

Then extract out all the required details from eai:data using SPL like spath and rex etc:

1) Scripts/CSS and other Static files like images/icons
2) Knowledge Objects used
3) Post Processing
4) Tokens used in dashboard
5) Visualizations used/Configuration options used
6) No of elements/panels/charts etc
7) No of searches running
8) Drilldown and dependency with external URLs/Dashboards/Saved Searches

For each Knowledge Object Identified above either specific REST call can be used or else better use the amazing utility app suggested by @martin_mueller.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

uberjay2
New Member

Thanks @niketnilay.... I'll poke around with the REST stuff too.... I've only touched that briefly in some of the courses. Maybe it's time for me to actually discover more about them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...