Here are some SPL queries from a knowledge object definition term search dashboard I have in my environment. I've been thinking about putting it and some other admin centric dashboards I've created into an app and adding it to Splunkbase. Maybe I should get on that. Replace the {your_term} parts with your lookup. Saved Search | rest splunk_server=* /servicesNS/-/-/saved/searches add_orphan_field=yes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing, dispatch.* as *
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| where has_term="1"
| fields splunk_server, app, owner, sharing, disabled, is_scheduled, cron_schedule, earliest_time, latest_time, title, search
| sort splunk_server, title Views | rest splunk_server=* /servicesNS/-/-/data/ui/views
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(label,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, label, data
| sort splunk_server, title Data Models | rest splunk_server=* /servicesNS/-/-/data/models
| rename eai:acl.app as app, eai:data as data, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(data,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, data
| sort splunk_server, title Fields | rest splunk_server=* /services/data/props/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| eval type="props"
| search has_term=1
| append [
| rest splunk_server=* /services/data/transforms/extractions
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(REGEX,"{your_term}") OR match(SOURCE_KEY,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="transforms"
| fields splunk_server, app, owner, sharing, title, REGEX, SOURCE_KEY
]
| append [
| rest splunk_server=* /services/data/props/calcfields
| rename eai:acl.app as app, eai:acl.owner as owner, field.name as field_name, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(field_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="calcfields"
| fields splunk_server, app, owner, sharing, title, type, attribute, value, field_name
]
| append [
| rest splunk_server=* /services/data/props/fieldaliases
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(title,"{your_term}") OR match(attribute,"{your_term}") OR match(value,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| eval type="fieldalias"
| fields splunk_server, app, owner, sharing, title, type, attribute, value
]
| rename REGEX as regex, SOURCE_KEY as source_key
| fields splunk_server, app, owner, sharing, title, type, attribute, value, regex, source_key, field_name Macros | rest splunk_server=* /servicesNS/-/-/admin/macros
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(definition,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, definition
| sort splunk_server, title Event Types | rest splunk_server=* /servicesNS/-/-/saved/eventtypes
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(search,"{your_term}") OR match(title,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, title, search
| sort splunk_server, title Tags | rest splunk_server=* /servicesNS/-/-/admin/tags
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval has_term=if(match(field_name_value,"{your_term}") OR match(title,"{your_term}") OR match(tag_name,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, tag_name, field_name_value
| sort splunk_server, tag_name Lookups | rest splunk_server=* /services/data/transforms/lookups
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| append [
| rest splunk_server=* /servicesNS/-/-/data/lookup-table-files
| rename eai:acl.app as app, eai:acl.owner as owner, eai:acl.sharing as sharing
| eval filename=title
| eval type="file"
]
| eval filename=if(isnull(filename), title, filename)
| stats values(title) as title, values(fields_array) as fields_array by splunk_server, app, owner, sharing, filename, type
| eval filename=if(type!="file" AND type!="geo", "", filename)
| eval has_term=if(match(filename,"{your_term}") OR match(title,"{your_term}") OR match(fields_array,"{your_term}") OR match(owner,"{your_term}"), 1, 0)
| search has_term=1
| fields splunk_server, app, owner, sharing, filename, title, fields_array, type
| sort splunk_server, filename
... View more