Splunk Search

There are a list of apps present on shcluster , how to check if any knowledge objects are associated/mapped to each apps?

Nilesh3110
Explorer

I have multiple apps on shcluster, "/application/splunk/etc/shcluster/apps" . I need to check if there are any Knowledge objects related to these apps, that is to say if these apps are actually requred or not. Is there a way i can get the details of all the Knowledge objects related to an application. Any Shell script which gives me this information ?

Tags (1)
0 Karma

jarizeloyola
Path Finder

You can use rest commands to know what apps those knowledge objects are associated.
There's alot of rest commands in this link https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTlist ,depends on what you need.
For example:
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTknowledge
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTsearch

0 Karma

Nilesh3110
Explorer

This is more of theory , I m going through them ... actually i am looking for some script which pulls up these information and gives me a report for all the related knowledge objects for an application .

0 Karma

jarizeloyola
Path Finder

When you run those rest command in splunk search it will give you the information you needed for the knowledge objects for example (you can run in MC):

| rest "/servicesNS/-/-/admin/savedsearch/" search="is_scheduled=1" search="disabled=0" splunk_server=sh* 
    [| makeresults 
    | eval earliest_time=relative_time(now(), "-0s@s"), latest_time=relative_time(now(), "+15m@s")
    | return earliest_time, latest_time ] 
| table splunk_server eai:acl.app eai:acl.owner cron_schedule title scheduled_times
0 Karma

Nilesh3110
Explorer

I tried the above but did not get any results. I searched it on the indexer serach head. Where do i need to search this query.

0 Karma

jarizeloyola
Path Finder

it is just a sample , you can run it in any of the shc member or to the MC. you should be an admin or have the right privilege to get the result.

| rest  "/servicesNS/-/-/admin/savedsearch/" splunk_server="*"
0 Karma

Nilesh3110
Explorer

Thanks a lot jarizeloyola. I m bit confused, whats the index for the above . Or do i need to run it with Curl. If possible can u pls give me the complete command or the way i can run the above search , as the above given search does not run give anything . Thanks

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...