| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches | search action.correlationsearch.label=* | rename action.correlationsearch.label AS rule_name | fields + title,rule_name

| join type=outer title [| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches | fields + title,search,disabled]

| rex field=search "datamodel\W{1,2}(?<datamodel>\w+)"

| rex field=search "tstats.*?from datamodel=(?<datamodel>\w+)"

| eval datamodel2=case(match(search, "src_dest_tstats"), mvappend("Network_Traffic", "Intrusion_Detection", "Web"), match(search, "(access_tracker|inactive_account_usage)"), "Authentication", match(search, "malware_operations_tracker"), "Malware", match(search, "(primary_functions|listeningports|localprocesses|services)_tracker"), "Application_State", match(search, "useraccounts_tracker"), "Compute_Inventory")

| eval datamodel=mvappend(datamodel, datamodel2)

| search datamodel=*

| mvexpand datamodel

| join type=outer datamodel [| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") | table datamodel

| map maxsearches=100 search="| tstats `summariesonly` values(sourcetype) as sourcetype from datamodel=$datamodel$ WHERE sourcetype!=\"stash\" earliest_time=-7d | eval datamodel=\"$datamodel$\"" ]

| makemv sourcetype

| fillnull value="" sourcetype

| mvexpand sourcetype

| eval enabled=if(disabled==0, "Yes", "No")

| table rule_name datamodel sourcetype enabled

| sort rule_name