| rest splunk_server=local count=0 /servicesNS/-/-/admin/datamodel-files
| spath input=eai:data output=base_search path=objects{}.baseSearch
| spath input=eai:data output=constraints path=objects{}.constraints{}.search
| eval tag_content = mvappend(base_search,constraints)
| rex max_match=0 field=tag_content "tag=\"?(?<tag_name>\w+)\"?"
| mvexpand tag_name
| rename title AS datamodel
| append
[| rest splunk_server=local count=0 /servicesNS/-/-/admin/eventtypes
| rename eai:acl.app AS app tags AS tag_name
| search app="*TA*"
| rex max_match=0 field=search "sourcetype=\"?(?<sourcetype>[^\s\"^)]+)\"?"
| mvexpand sourcetype
| mvexpand tag_name
| eval app_sourcetype=mvzip(app,sourcetype,"__")
| stats list(tag_name) as tag_name by app, sourcetype,app_sourcetype ]
| stats list(datamodel) as datamodel, list(app) as app, list(app_sourcetype) as app_sourcetype by tag_name
| search datamodel=*
| stats values(datamodel) as datamodel, values(tag_name) as tags by app_sourcetype
| eval tags=mvdedup(tags)
| rex max_match=0 field=app_sourcetype "\"?(?<app>.+)__\"?"
| rex max_match=0 field=app_sourcetype "__\"?(?<sourcetype>.+)\"?"
| fields - app_sourcetype
purpose:
This search answers the questions which dashboards will my new add-on be used for in Enterprise Security.
requirements:
comments:
This is useful to see which app populates which datamodel in Enterprise Security or any other environment which datamodels.