I have inherited a splunk distributed deployment which is a bit of a train wreck.
Does anyone know of a way to identify indexes that no one has searched for a long time?
Or how to identify reports that no one has run for a long time or that are not scheduled?
Thank you,
Gunnar
Hi @Glasses,
Someone already developed a dashboard and posted it here for that purpose :
https://answers.splunk.com/answers/316312/ever-wonder-which-dashboards-are-being-used-and-wh.html
You can also use app such as search activity to see what's being used the most and reverse the search to get what's being used the least :
https://splunkbase.splunk.com/app/2632/
Another useful link to see dashboard usage here :
https://answers.splunk.com/answers/617051/how-can-i-create-a-query-to-find-dashboard-usage-a.html
Lots of resources about this. You can even leverage the MC to get more insight one what's happening.
Let me know if there's a specific query you're looking to build in addition to all that.
Cheers,
David