Splunk Search

How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha
New Member

Hi All,

How can I make a rest endpoint search to search for dashboards which are not in use or not even accessed for the last 2 months?

Thanks,

Tarak

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

taraksinha
New Member

Getting error while ran above query.

"Unbalanced quotes."

0 Karma

taraksinha
New Member

It's Working....

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\""| search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma

taraksinha
New Member

Hi Some,

Can be add date filed also in above query, So i can see date column in output and correlate dashboard which are not accessed in last 2 Months.

Thanks,

Tarak

0 Karma

taraksinha
New Member

Hi Team,

How can i add user field also in below query ?

index=_internal source=*access.log earliest=-2mon  */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>60 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma

somesoni2
SplunkTrust
SplunkTrust

There is a field user in the first search.

0 Karma

taraksinha
New Member

Hi Some,

I can get the output for owner, need to add user field in search query.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, explore the data coming from index=_interanl source=*access.log . It has a field user. Use that in the query (in stats) so that it's included in the result.

0 Karma

taraksinha
New Member

Hi Renjith/Soni,

The above query similar with my next question:-

I am looking for only search App (search AppName=search) associated with owner. And user who haven't accessed those object (such as reports, search, saved search and dashboard) since 60+ days.

Thanks,
Tarak

0 Karma

taraksinha
New Member

I need to add one more column for "user", similar like below query and nobody has beed accessed those object since 60 days. I hope you guys have better idea on this, Kindly reply me

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma

taraksinha
New Member

Hello,

I tried to run this query but not seeing Dashboard name (such as dashboard name "Audio"),
I have 250+ Dashboards which names are showing in dashboards as a Title
Is it possible to add Dashboard Title and owner of dashboard name in this query?

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")

Thanks,
Tarak

0 Karma

taraksinha
New Member

can anyone help me on my above comment?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Date field is part of your search LastAccessed . Just add |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") to your search for formatted output

Happy Splunking!
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...