Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i identify unneeded knowledge object

Marko
Explorer
‎07-31-2024 07:03 AM

I've been requested to identify unused knowledge objects. I'm honestly not sure on the best way to go about this request. I have checked the next scheduled time. I'm not sure if that's all i need to do before contacting object owners. Any ideas or documentation to help me accomplish this task will be most appreciated. Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 10:16 AM

This is not a trivial task since Splunk does not record when each KO is used.

Some are easy to determine - scheduled searches, reports, and alerts, for example.

You should be able to use the audit log to find uses of dashboards and unscheduled saved searches.

Others, like macros, aliases, and tags will be more challenging.  It will require parsing every executed search (find them in _audit) and identifying the KOs in each.

That will produce a list of *used* KOs.  From that, you can derive a list of unused objects.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Marko
Explorer
‎07-31-2024 10:45 AM

From that perspective, that makes so much sense. I've gotten what i wanted. Thanks @PickleRick and @richgalloway 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 10:40 AM

Apart from some specific use cases this is impossible.

First ask yourself what do you mean by "unused knowledge object".

Let's assume you have an automatic lookup which translates code 0,1,2 or3 to values "critical/serious/moderate/benign". It's "used" only by users looking at it when browsing through the events. Do you consider such KO used or not?

You can use some techniques to find explicitly requested KOs in searches but also only in some cases. In some (especially if parts of the searches are dynamically generated by means of aliases or map) you can't know before running the search what it will use.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 10:16 AM

This is not a trivial task since Splunk does not record when each KO is used.

Some are easy to determine - scheduled searches, reports, and alerts, for example.

You should be able to use the audit log to find uses of dashboards and unscheduled saved searches.

Others, like macros, aliases, and tags will be more challenging.  It will require parsing every executed search (find them in _audit) and identifying the KOs in each.

That will produce a list of *used* KOs.  From that, you can derive a list of unused objects.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...