The following will:
- list all knowledge objects for your SH (or given search peer(s))
- each objects name, type, app, permissions, sharing (e.g. global, app, private) and owner
- if props-extract:
the props stanza, props type (e.g if its Inline or Transforms), props sourcetype and props value (e.g. the regex) - if transforms-extract:
the state (tf_disabled), format (tf_format), tf_fields (fields) and the regex (tf_regex)
I found it quite useful as you can push that all to a nice dashboard and so be able to provide a quick way to search where an extraction is made and who and how and.. you know what i mean :)
Here you go:
| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, title, eai:type, disabled
| foreach eai:*.*
[ rename "<<FIELD>>" TO <<MATCHSEG2>> ]
| foreach eai:*
[ rename "<<FIELD>>" TO <<MATCHSTR>> ]
| eval attribute=replace(title,"(.*:\s+)(.*)","\2")
| eval st=replace(title,"(.*)(\s+:.*)","\1")
| eval props_sourcetype=if(st==attribute,"",st)
| join type=outer attribute
[| rest /servicesNS/-/-/admin/props-extract count=0 splunk_server=local | fields attribute value stanza type | rename value TO props_value, stanza to props_stanza, type to props_type ]
| join type=outer attribute
[| rest /servicesNS/-/-/admin/transforms-extract count=0 splunk_server=local
| fields REGEX FORMAT disabled eai:acl.app title FIELDS
| makemv delim="," FIELDS
| rename FIELDS to tf_fields, disabled to tf_disabled, REGEX to tf_regex, FORMAT to tf_format, title to attribute, eai:acl.app to tf_app]
| fillnull disabled tf_disabled
| table disabled app type attribute props_type props_stanza props_value props_sourcetype tf_disabled tf_format tf_fields tf_regex sharing perms.* location owner | search (app="*" AND (sharing="*")) AND disabled=*
| rename attribute TO "Object Name"
So now its up to you as you can:
- modify in the end of the search: app , sharing , …
- the splunk_server everywhere if needed
