topic Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months? in Splunk Search

How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Thu, 11 Feb 2016 05:56:45 GMT

Hi All,

How can I make a rest endpoint search to search for dashboards which are not in use or not even accessed for the last 2 months?

Thanks,

Tarak

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

somesoni2 — Thu, 11 Feb 2016 17:54:30 GMT

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Fri, 12 Feb 2016 05:09:27 GMT

Hi Some,

Can be add date filed also in above query, So i can see date column in output and correlate dashboard which are not accessed in last 2 Months.

Thanks,

Tarak

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

renjith_nair — Fri, 12 Feb 2016 05:48:26 GMT

Date field is part of your search LastAccessed . Just add |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") to your search for formatted output

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Fri, 12 Feb 2016 11:49:43 GMT

Hello,

I tried to run this query but not seeing Dashboard name (such as dashboard name "Audio"),
I have 250+ Dashboards which names are showing in dashboards as a Title
Is it possible to add Dashboard Title and owner of dashboard name in this query?

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")

Thanks,
Tarak

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Mon, 15 Feb 2016 04:56:02 GMT

can anyone help me on my above comment?

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Tue, 16 Feb 2016 05:24:11 GMT

Getting error while ran above query.

"Unbalanced quotes."

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Tue, 16 Feb 2016 09:59:42 GMT

It's Working....

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\""| search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Wed, 17 Feb 2016 18:10:41 GMT

Hi Renjith/Soni,

The above query similar with my next question:-

I am looking for only search App (search AppName=search) associated with owner. And user who haven't accessed those object (such as reports, search, saved search and dashboard) since 60+ days.

Thanks,
Tarak

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Thu, 18 Feb 2016 07:18:45 GMT

I need to add one more column for "user", similar like below query and nobody has beed accessed those object since 60 days. I hope you guys have better idea on this, Kindly reply me

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Sun, 21 Feb 2016 13:45:28 GMT

Hi Team,

How can i add user field also in below query ?

index=_internal source=*access.log earliest=-2mon  */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>60 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

somesoni2 — Sun, 21 Feb 2016 20:10:15 GMT

There is a field user in the first search.

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha — Mon, 22 Feb 2016 07:50:15 GMT

Hi Some,

I can get the output for owner, need to add user field in search query.

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

somesoni2 — Mon, 22 Feb 2016 15:33:08 GMT

Yes, explore the data coming from index=_interanl source=*access.log . It has a field user. Use that in the query (in stats) so that it's included in the result.