| rest /services/data/transforms/lookups | table eai:acl.app filename title fields_list id | rename eai:acl.app as App, filename as "Lookup File", title as Title, fields_list as "Fields", id as Endpoint
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as Indexes, title as Role | search Indexes=*
| rest /servicesNS/-/-/data/indexes count=0
| where disabled=0 | fields title | rename title as index | join index type=left
[ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as index, title as role
| mvexpand index
| where NOT match(index,".*\*.*") ] | search role=*
sourcetype="citrix:netscaler:syslog" DNS | rex field=_raw "^\s+(?<date>[^:]+):(?<time>[^\s]+)(?:[^:\n]*:){3}(?<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)" | eval date=date." ".time | table date, source_ip, dns | rename date as Date, source_ip as Source, dns as DNS
index=_internal sourcetype=splunk_web_access host=* user=*
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title
[| rest /servicesNS/-/-/data/ui/views splunk_server=*
| search isDashboard=1 isVisible=1
| rename eai:acl.app as app
| fields title app ]
| rename title as dashboard
| stats count by _time user dashboard app host | rename user as User, dashboard as Dashboard, app as App, host as Host, count as Count