Splunk Search

validate access to knowledge object

Path Finder

Good afternoon

I am trying to perform an audit of the environmental lookups and I need to know if there is any query that allows to validate whether this knowledge object is being used or accessed

Any information is appreciated

Best regards

0 Karma

SplunkTrust
SplunkTrust

It's not trivial. Start by searching all of your savedsearches.conf files for the lookup file name. Then search _internal for accesses to those searches.
Then search all of your macros.conf files for the lookup file name. Find out where those macros are used then search _internal for those searches.
Finally (if I didn't forget something), search all of your dashboards for the lookup file name then search _internal for accesses to those dashboards.

---
If this reply helps you, an upvote would be appreciated.