Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do i identify unneeded knowledge object

Marko
Explorer
‎07-31-2024 07:03 AM

I've been requested to identify unused knowledge objects. I'm honestly not sure on the best way to go about this request. I have checked the next scheduled time. I'm not sure if that's all i need to do before contacting object owners. Any ideas or documentation to help me accomplish this task will be most appreciated. Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 10:16 AM

This is not a trivial task since Splunk does not record when each KO is used.

Some are easy to determine - scheduled searches, reports, and alerts, for example.

You should be able to use the audit log to find uses of dashboards and unscheduled saved searches.

Others, like macros, aliases, and tags will be more challenging.  It will require parsing every executed search (find them in _audit) and identifying the KOs in each.

That will produce a list of *used* KOs.  From that, you can derive a list of unused objects.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Marko
Explorer
‎07-31-2024 10:45 AM

From that perspective, that makes so much sense. I've gotten what i wanted. Thanks @PickleRick and @richgalloway 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 10:40 AM

Apart from some specific use cases this is impossible.

First ask yourself what do you mean by "unused knowledge object".

Let's assume you have an automatic lookup which translates code 0,1,2 or3 to values "critical/serious/moderate/benign". It's "used" only by users looking at it when browsing through the events. Do you consider such KO used or not?

You can use some techniques to find explicitly requested KOs in searches but also only in some cases. In some (especially if parts of the searches are dynamically generated by means of aliases or map) you can't know before running the search what it will use.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 10:16 AM

This is not a trivial task since Splunk does not record when each KO is used.

Some are easy to determine - scheduled searches, reports, and alerts, for example.

You should be able to use the audit log to find uses of dashboards and unscheduled saved searches.

Others, like macros, aliases, and tags will be more challenging.  It will require parsing every executed search (find them in _audit) and identifying the KOs in each.

That will produce a list of *used* KOs.  From that, you can derive a list of unused objects.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...