Since every app
when invoked first can only be accessed by invoking the app url
hence how about searching the index=_internal
and sourcetype=splunk_web_access
to find all the invocations of the app url
and rex(ing)
the data out for yourself something like this:
outer search to find all app urls invoked till today NOT ( [ subsearch to find the url apps which were accessed within last 7 days ] )
So your query should look something like:
index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) NOT ([ search index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) earliest=-7d@d | rex ".*\"(?<url>http(s)*\:\/\/.*\/app\/[^\/]+)"| table url | dedup url| return 10000 $url])
| rex ".*\"(?<url>http(s)*\:\/\/[^\"]+)\""
| rex field=url "http(s)*\:\/\/(?<domain>[^\:]+)\:(?<port>[^\/]+)\/.*\/app\/(?<appName>[^\/]+).*"
| table appName
| dedup appName
Since every app
when invoked first can only be accessed by invoking the app url
hence how about searching the index=_internal
and sourcetype=splunk_web_access
to find all the invocations of the app url
and rex(ing)
the data out for yourself something like this:
outer search to find all app urls invoked till today NOT ( [ subsearch to find the url apps which were accessed within last 7 days ] )
So your query should look something like:
index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) NOT ([ search index=_internal sourcetype=splunk_web_access ((http\:\/\/) OR (https\:\/\/)) (\/app\/) earliest=-7d@d | rex ".*\"(?<url>http(s)*\:\/\/.*\/app\/[^\/]+)"| table url | dedup url| return 10000 $url])
| rex ".*\"(?<url>http(s)*\:\/\/[^\"]+)\""
| rex field=url "http(s)*\:\/\/(?<domain>[^\:]+)\:(?<port>[^\/]+)\/.*\/app\/(?<appName>[^\/]+).*"
| table appName
| dedup appName
Answering this is inherently hard because of the different aspects contained in an app.
Dashboards and saved searches are fairly easy to check because users have to access them explicitly - they'll be in _internal
. Knowledge objects are much harder to check - especially if your app shares them globally.
Take lookups as an example. You could crawl all searches for an explicit | lookup lookup_name
, but you'd also have to check if automatic lookups were implicitly triggered somewhere. Without instrumentation from Splunk Core, that's an unanswerable question at the moment 😞
take a look at this answers:
https://answers.splunk.com/answers/316312/ever-wonder-which-dashboards-are-being-used-and-wh.html
it shows which users use the dashboards and which dashboards are being used. i'm sure you can tweak it to look at which dashboards aren't being used.