You should use a summary index (http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Usesummaryindexing) instead of an outputlookup.
You could summarize stats of DNS resolving every 15 mins, and write this to the summary index. And than query the summary index to generate stats over a longer period.
... View more
Define all Knowledge Objects that may not be deleted as .conf files in the /default directory in the app.
This will only work if you know up front which KO may not be deleted. This will not protect against one user deleting a KO of another user which is shared in the app.
... View more
Use mvexpand to create an event for each multi value value. You'll be able create a timechart with a line for each distict policy:
my query
| eval Policies=split(cat,";")
| mvexpand Policies
| timechart span=1h count by Policies
... View more