identify knowledge objects, permissions and extractions

The following will:

  • list all knowledge objects for your SH (or given search peer(s))
  • each objects name, type, app, permissions, sharing (e.g. global, app, private) and owner
  • if props-extract:
    the props stanza, props type (e.g if its Inline or Transforms), props sourcetype and props value (e.g. the regex)
  • if transforms-extract:
    the state (tf_disabled), format (tf_format), tf_fields (fields) and the regex (tf_regex)

I found it quite useful as you can push that all to a nice dashboard and so be able to provide a quick way to search where an extraction is made and who and how and.. you know what i mean :)

Here you go:


So now its up to you as you can:

  • modify in the end of the search: app , sharing , …
  • the splunk_server everywhere if needed


Share This:

Leave A Comment?