Splunk Search

How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

taraksinha
New Member

Hi Team,

I ran the search below to find search Applications which are not accessed in last 2 months by anyone, but it's instead showing results from now (today's date) to the past 60 days. I only need to output applications that have never been accessed by anyone within the last 60 days.

Search:

index=_internal source=*access.log earliest=-60d  /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where clause of this search finds apps accessed at least 20 seconds ago, which is probably not what you want. Changing 20 to 5184000 will return those accessed at least 60 days ago.

That said, this search still only finds apps that were accessed 2 months ago. It does not identify those that have not been accessed since then. To do that, you will need a list of all apps from which you remove those which have been accessed in the last 60 days. You can get a list of all apps installed on your system using rest /services/apps/local.

---
If this reply helps you, Karma would be appreciated.
0 Karma

taraksinha
New Member

I tried to change age 20 to 5184000, but not showing any result, Can be add owner and user filed in this query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Just changing 20 to 5184000 is not enough. That makes the where clause match earliest and return no results. Even if earliest is changed, the search is still returning apps that were accessed at least 60 days ago rather than those not accessed in the last 60 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma

taraksinha
New Member

will you give me similar query along with user and owner field?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure which query you mean. I see a user field in access.log, but not an owner field. It could be part of another field.
The REST query has an eai:acl.owner field, but no user field since it's a raw app list.

---
If this reply helps you, Karma would be appreciated.
0 Karma

taraksinha
New Member

I mean this below query, is it any command to add user and owner field ?

index=_internal source=*access.log earliest=-60d  /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
0 Karma

MuS
SplunkTrust
SplunkTrust

Just a reminder: index=_internal has a default retention time of 30 days - so you will not be able to find anything for days 31-60.

0 Karma

taraksinha
New Member

So any idea how can i approach this to get the result for 31-60 days?

0 Karma

taraksinha
New Member

I need output for user who often or never accessed the App_Name "search" more than 60 days with table such as user,Viewname,title,App_name,owner,Date,Last accessed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...