https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284494#M86046 <P>So any idea how can i approach this to get the result for 31-60 days?</P> Sun, 21 Feb 2016 13:30:09 GMT taraksinha 2016-02-21T13:30:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284485#M86037 <P>Hi Team,</P> <P>I ran the search below to find search Applications which are not accessed in last 2 months by anyone, but it's instead showing results from now (today's date) to the past 60 days. I only need to output applications that have never been accessed by anyone within the last 60 days.</P> <P>Search:</P> <PRE><CODE>index=_internal source=*access.log earliest=-60d /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age&gt;20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") </CODE></PRE> Thu, 18 Feb 2016 09:24:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284485#M86037 taraksinha 2016-02-18T09:24:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284486#M86038 <P>The <CODE>where</CODE> clause of this search finds apps accessed at least 20 seconds ago, which is probably not what you want. Changing 20 to 5184000 will return those accessed at least 60 days ago.</P> <P>That said, this search still only finds apps that were accessed 2 months ago. It does not identify those that have <EM>not</EM> been accessed since then. To do that, you will need a list of all apps from which you remove those which have been accessed in the last 60 days. You can get a list of all apps installed on your system using <CODE>rest /services/apps/local</CODE>.</P> Thu, 18 Feb 2016 13:02:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284486#M86038 richgalloway 2016-02-18T13:02:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284487#M86039 <P>I tried to change age 20 to 5184000, but not showing any result, Can be add owner and user filed in this query?</P> Fri, 19 Feb 2016 07:31:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284487#M86039 taraksinha 2016-02-19T07:31:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284488#M86040 <P>Just changing 20 to 5184000 is not enough. That makes the <CODE>where</CODE> clause match <CODE>earliest</CODE> and return no results. Even if <CODE>earliest</CODE> is changed, the search is still returning apps that were accessed at least 60 days ago rather than those not accessed in the last 60 days.</P> Fri, 19 Feb 2016 13:32:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284488#M86040 richgalloway 2016-02-19T13:32:02Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284489#M86041 <P>will you give me similar query along with user and owner field?</P> Fri, 19 Feb 2016 14:17:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284489#M86041 taraksinha 2016-02-19T14:17:19Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284490#M86042 <P>I need output for user who often or never accessed the App_Name "search" more than 60 days with table such as user,Viewname,title,App_name,owner,Date,Last accessed.</P> Tue, 29 Sep 2020 08:52:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284490#M86042 taraksinha 2020-09-29T08:52:22Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284491#M86043 <P>I'm not sure which query you mean. I see a user field in access.log, but not an owner field. It could be part of another field.<BR /> The REST query has an eai:acl.owner field, but no user field since it's a raw app list.</P> Fri, 19 Feb 2016 14:49:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284491#M86043 richgalloway 2016-02-19T14:49:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284492#M86044 <P>I mean this below query, is it any command to add user and owner field ?</P> <PRE><CODE>index=_internal source=*access.log earliest=-60d /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age&gt;20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") </CODE></PRE> Sun, 21 Feb 2016 09:21:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284492#M86044 taraksinha 2016-02-21T09:21:04Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284493#M86045 <P>Just a reminder: <CODE>index=_internal</CODE> has a default retention time of 30 days - so you will not be able to find anything for days 31-60.</P> Sun, 21 Feb 2016 09:26:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284493#M86045 MuS 2016-02-21T09:26:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284494#M86046 <P>So any idea how can i approach this to get the result for 31-60 days?</P> Sun, 21 Feb 2016 13:30:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-search-to-only-return-search-applications/m-p/284494#M86046 taraksinha 2016-02-21T13:30:09Z