- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How do I find which specific Data Sources are ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I find which specific Data Sources are lighting up the different Dashboards?
Is there any easy way to see which Data Source lights up specific Dashboards? I am creating documentation, and would like to include the data sources lighting up the different Dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following query can give you list of dashboards and corresponding dashboard xml/code.
| rest /servicesNS/-/-/data/ui/views | table label eai:data | rename eai:data as code
Now based on how your dashboard users write searches, you can extract the data sources (index/source/sourcetype) from that field. Following can give you a sample to extract index names
| rest /servicesNS/-/-/data/ui/views | table label eai:data | rename eai:data as code | rex field=data max_match=0 "\sindex\s*=\s*(?<indexes>\S+)"
Now, the users can specify one or more of index/source/sourcetype/eventtypes/tags/macros OR sometime nothing at all (not a good practice), so you can play around by trying to extract different data sources by adding multiple rex commands.
Update
Adding sourcetype extraction, fixing some typos of rex
| rest /servicesNS/-/-/data/ui/views | table label eai:data | rename eai:data as code | rex field=code max_match=0 "\sindex\s*=[\s\"]*(?<indexes>[^\s\"]+)" | rex field=code max_match=0 "\ssourcetype\s*=[\s\"]*(?<sourcetypes>[^\s\"]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2
Not sure I completely follow this query. When I input the query into the search, I do get the XML for the various dashboards, but I dont see the source types that populate the different dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to add extraction logic for sourcetype here (my answer is just extracting index name.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @miajay1980
Can you clarify what you mean by "lighting up" dashboards? Do you mean populating dashboards with data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes pablo populating the dashboards... I'm trying to compile a list of which source types are populating the dashboards.
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
