Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to generate a search that will look for Sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since every app when invoked first can only be accessed by invoking the app url hence how about searching the index=_internal and sourcetype=splunk_web_access to find all the invocations of the app url and rex(ing) the data out for yourself something like this:
outer search to find all app urls invoked till today NOT ( [ subsearch to find the url apps which were accessed within last 7 days ] )
So your query should look something like:
index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) NOT ([ search index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) earliest=-7d@d | rex ".*\"(?<url>http(s)*\:\/\/.*\/app\/[^\/]+)"| table url | dedup url| return 10000 $url])
| rex ".*\"(?<url>http(s)*\:\/\/[^\"]+)\""
| rex field=url "http(s)*\:\/\/(?<domain>[^\:]+)\:(?<port>[^\/]+)\/.*\/app\/(?<appName>[^\/]+).*"
| table appName
| dedup appName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since every app when invoked first can only be accessed by invoking the app url hence how about searching the index=_internal and sourcetype=splunk_web_access to find all the invocations of the app url and rex(ing) the data out for yourself something like this:
outer search to find all app urls invoked till today NOT ( [ subsearch to find the url apps which were accessed within last 7 days ] )
So your query should look something like:
index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) NOT ([ search index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) earliest=-7d@d | rex ".*\"(?<url>http(s)*\:\/\/.*\/app\/[^\/]+)"| table url | dedup url| return 10000 $url])
| rex ".*\"(?<url>http(s)*\:\/\/[^\"]+)\""
| rex field=url "http(s)*\:\/\/(?<domain>[^\:]+)\:(?<port>[^\/]+)\/.*\/app\/(?<appName>[^\/]+).*"
| table appName
| dedup appName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answering this is inherently hard because of the different aspects contained in an app.
Dashboards and saved searches are fairly easy to check because users have to access them explicitly - they'll be in _internal. Knowledge objects are much harder to check - especially if your app shares them globally.
Take lookups as an example. You could crawl all searches for an explicit | lookup lookup_name, but you'd also have to check if automatic lookups were implicitly triggered somewhere. Without instrumentation from Splunk Core, that's an unanswerable question at the moment 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
take a look at this answers:
https://answers.splunk.com/answers/316312/ever-wonder-which-dashboards-are-being-used-and-wh.html
it shows which users use the dashboards and which dashboards are being used. i'm sure you can tweak it to look at which dashboards aren't being used.
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
