Deployment Architecture

How do i identify unneeded knowledge object

Marko
Explorer

I've been requested to identify unused knowledge objects. I'm honestly not sure on the best way to go about this request. I have checked the next scheduled time. I'm not sure if that's all i need to do before contacting object owners. Any ideas or documentation to help me accomplish this task will be most appreciated. Thank you!

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This is not a trivial task since Splunk does not record when each KO is used.

Some are easy to determine - scheduled searches, reports, and alerts, for example.

You should be able to use the audit log to find uses of dashboards and unscheduled saved searches.

Others, like macros, aliases, and tags will be more challenging.  It will require parsing every executed search (find them in _audit) and identifying the KOs in each.

That will produce a list of *used* KOs.  From that, you can derive a list of unused objects.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

Marko
Explorer

From that perspective, that makes so much sense. I've gotten what i wanted. Thanks @PickleRick and @richgalloway 

PickleRick
SplunkTrust
SplunkTrust

Apart from some specific use cases this is impossible.

First ask yourself what do you mean by "unused knowledge object".

Let's assume you have an automatic lookup which translates code 0,1,2 or3 to values "critical/serious/moderate/benign". It's "used" only by users looking at it when browsing through the events. Do you consider such KO used or not?

You can use some techniques to find explicitly requested KOs in searches but also only in some cases. In some (especially if parts of the searches are dynamically generated by means of aliases or map) you can't know before running the search what it will use.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is not a trivial task since Splunk does not record when each KO is used.

Some are easy to determine - scheduled searches, reports, and alerts, for example.

You should be able to use the audit log to find uses of dashboards and unscheduled saved searches.

Others, like macros, aliases, and tags will be more challenging.  It will require parsing every executed search (find them in _audit) and identifying the KOs in each.

That will produce a list of *used* KOs.  From that, you can derive a list of unused objects.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...