Lookup Files by App

Dashboard - Lookup Audit Dashboard for displaying lookup table files on a Search Head. Created to easily identify large tables which might disrupt Splunk uptime. Created by Discovered Intelligence -- https://discoveredintelligence.ca, modifications by Gareth Anderson | rest /servicesNS/nobody/$appselection_rest$/data/lookup-table-files splunk_server=local | rename eai:acl.app as appname | regex appname=^$appselection$$ | dedup appname | map maxsearches=5000 search=" | rest /servicesNS/-/$appselection_rest$/admin/file-explorer/$splunk_dir|u$%2Fapps%2F$$appname$$%2Flookups splunk_server=local | eval appname=\"$$appname$$\""

Select Lookup Filter Show All Lookups Exclude Blacklisted Lookups Show Only Blacklisted Lookups * NonBlackList NonBlackList Select App All appname appname | rest /servicesNS/-/-/data/lookup-table-files splunk_server=local | where like(title,"%csv") | rename eai:acl.app as appname | dedup appname | sort appname -15m now - $value$ Private User Lookup All Yes No * * Splunk Etc Dir (use \\\\ for Windows paths or / for Unix). C:\\\\program files\\\\splunk\\\\etc (for example) /opt/splunk/etc

Lookup Files by App | rex field=title "[\\\\/]apps[\\\\/](?P<App>.+)[\\\\/]lookups" | sort - lastModifiedTime | eval "Last Modified" = strftime(lastModifiedTime,"%b %d, %Y %H:%M"), fileSize_MB=round((fileSize/1024),3) | fillnull value=0.000 fileSize_MB | fields App name fileSize_MB "Last Modified" title | rex field=title "(?<title>apps.*)$" | search $blacklist$ | join type=left name [| rest /servicesNS/nobody/$appselection_rest$/data/lookup-table-files splunk_server=local | rename title AS name | fields + name author] | eval private_lookup="No" | append [| rest /servicesNS/-/$appselection_rest$/data/lookup-table-files splunk_server=local | regex eai:data="[\\\\/]users[\\\\/]$appselection$[\\\\/][^\\\\/]+[\\\\/]lookups[/\\\\]" | rename eai:acl.app as appname, eai:userName AS user | search appname=* | dedup appname | map maxsearches=5000 search=" | rest /servicesNS/-/$appselection_rest$/admin/file-explorer/$splunk_dir|u$%2Fusers%2F$$user$$%2F$$appname$$%2Flookups splunk_server=local" | rex field=title "[\\\\/]users[\\\\/]$appselection$[\\\\/](?<App>.+)[\\\\/]lookups[\\\\/]" | sort - lastModifiedTime | eval "Last Modified" = strftime(lastModifiedTime,"%b %d, %Y %H:%M"), fileSize_MB=round((fileSize/1024),3) | fillnull value=0.000 fileSize_MB | fields App name fileSize_MB "Last Modified" title | rex field=title "(?<title>users.*)$" | search $blacklist$ | join type=left name [| rest /servicesNS/-/$appselection_rest$/data/lookup-table-files splunk_server=local | regex eai:data="$splunk_dir$[\\\\/]users[\\\\/]$appselection$[\\\\/]" | rename title AS name | fields + name author] | eval private_lookup="Yes" ] | rename title AS path | search private_lookup="$priv_lookup$" | sort - fileSize_MB

Lookup Subdirectories by App Note: blacklist does not work for this panel and the last modified is directory modification date. If the author is blank then no matching lookup definition of type geo was found. Finally, as per the open ideas, the sub-directories under the lookups directory are never reaped by Splunk as of 8.0.3, it is upto the administrator to remove them as required. Also note they are not blacklisted from the knowledge bundle to the search peers, and finally they are created when the geom command is used so can be different per-search head! | eval last_modified = strftime(lastModifiedTime,"%b %d, %Y %H:%M") | search hasSubNodes=1 | map maxsearches=5000 search=" | rest /servicesNS/-/$appselection_rest$/admin/file-explorer/$splunk_dir|u$%2Fapps%2F$$appname$$%2Flookups%2F$$name$$ splunk_server=local | eval last_modified=\"$$last_modified$$\"" | rex field=title "(?P<path>[^/\\\\]+[/\\\\](?P<App>[^/\\\\]+)[/\\\\][^/\\\\]+[/\\\\](?P<dirname>[^/\\\\]+))[/\\\\][^/\\\\]+$" | stats sum(fileSize) AS fileSize, values(last_modified) AS "Last Modified" by dirname, App, path | append [| rest /servicesNS/-/$appselection_rest$/data/lookup-table-files splunk_server=local | regex eai:data="$splunk_dir$[\\\\/]users[/\\\\][^/\\\\]+[/\\\\]$appselection$[\\\\/]" | rename eai:acl.app as appname, eai:userName AS user | search appname=* | dedup appname | map maxsearches=5000 search=" | rest /servicesNS/-/$appselection_rest$/admin/file-explorer/$splunk_dir|u$%2Fusers%2F$$user$$%2F$$appname$$%2Flookups splunk_server=local | eval appname=\"$$appname$$\", user=\"$$user$$\"" | search NOT ignoreme="true" | search hasSubNodes=1 | eval last_modified = strftime(lastModifiedTime,"%b %d, %Y %H:%M") | fillnull last_modified | map maxsearches=5000 search=" | rest /servicesNS/-/$appselection_rest$/admin/file-explorer/$splunk_dir|u$%2Fusers%2F$$user$$%2F$$appname$$%2Flookups%2F$$name$$ splunk_server=local | eval last_modified=\"$$last_modified$$\"" | rex field=title "(?P<path>([^/\\\\]+[/\\\\]){2}(?P<App>[^/\\\\]+)[/\\\\][^/\\\\]+[/\\\\](?P<dirname>[^/\\\\]+))[/\\\\][^/\\\\]+$" | stats sum(fileSize) AS fileSize, values(last_modified) AS "Last Modified" by dirname, App, path ] | eval fileSize_MB=round((fileSize/1024),3) | table App, dirname, fileSize_MB, "Last Modified" path | join type=left dirname [| rest /servicesNS/-/$appselection_rest$/data/transforms/lookups splunk_server=local search="type=geo" f=title | fields + dirname author] | sort - fileSize_MB