How to compare knowledge objects on two search hea...

alvamnny · ‎03-22-2018

What’s the best way to write a query to list all knowledge objects on a search head, and then compare it to the knowledge objects on another search head?

alvamnny · ‎03-24-2018

So far I’ve ended up using the REST endpoint of services/directory to grab most of what I need.

mayurr98 · ‎03-22-2018

Splunk does not store knowledge objects in any index. Knowledge objects are contained in .conf files and .xml files that are stored in the directory hierarchy under $SPLUNK_HOME/etc

Shameless promotion: there is an app on Splunkbase called X-ray Splunk which collects information about the knowledge objects and presents it in a variety of dashboards. It doesn't seem to work yet on all OSes, but it is free.
Have a look at this ans.
https://answers.splunk.com/answers/95035/how-to-list-objects-of-an-application.html

Let me know if this helps!

How to compare knowledge objects on two search heads?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation