Hi,
For each app I would like to check whether there are scheduled reports which are NOT used in a dashboard.
Is there a search to do this?
Thanks in advance
You can use rest endpoint to find the details this way -
| rest /servicesNS/-/-/data/ui/views splunk_server=local | table title eai:data eai:acl.app | rename "eai:data" as source,"eai:acl.app" as app | rex max_match=0 field=source "\<param\sname\=\"savedSearch\"\>(?<savedsearch_name>[^\<]+)" | rex max_match=0 field=source "searchname\"\:\s\"(?<savedsearch_name>[^\"]+)" | rex max_match=0 field=source "search\s*(id=\"\w+\")?\s*ref\=\"(?<savedsearch_name>[^\"]+)" | rex max_match=0 field=source "\<searchName\>(?<savedsearch_name>[^\<]+)" | search savedsearch_name=* | table title app savedsearch_name | rename title as dashboard_name | mvexpand savedsearch_name | join savedsearch_name [ | rest /servicesNS/-/-/saved/searches splunk_server=local | where is_scheduled=1 AND disabled=0 | table title is_scheduled next_scheduled_time disabled| rename title as savedsearch_name ] | dedup dashboard_name savedsearch_name
You can use rest endpoint to find the details this way -
| rest /servicesNS/-/-/data/ui/views splunk_server=local | table title eai:data eai:acl.app | rename "eai:data" as source,"eai:acl.app" as app | rex max_match=0 field=source "\<param\sname\=\"savedSearch\"\>(?<savedsearch_name>[^\<]+)" | rex max_match=0 field=source "searchname\"\:\s\"(?<savedsearch_name>[^\"]+)" | rex max_match=0 field=source "search\s*(id=\"\w+\")?\s*ref\=\"(?<savedsearch_name>[^\"]+)" | rex max_match=0 field=source "\<searchName\>(?<savedsearch_name>[^\<]+)" | search savedsearch_name=* | table title app savedsearch_name | rename title as dashboard_name | mvexpand savedsearch_name | join savedsearch_name [ | rest /servicesNS/-/-/saved/searches splunk_server=local | where is_scheduled=1 AND disabled=0 | table title is_scheduled next_scheduled_time disabled| rename title as savedsearch_name ] | dedup dashboard_name savedsearch_name
to me, it looks like this only includes searches that are used in dashboards. can we add those that are not used in a dashboard? I would like to unschedule them
Ops, I didn't read the question body. Yes the above search gives all scheduled searches in a dashboard.
Use below one for the scheduled searches that aren't used -
| rest /servicesNS/-/-/saved/searches splunk_server=local | where is_scheduled=1 AND disabled=0 | rename "eai:acl.app" as app| table title app is_scheduled next_scheduled_time disabled | rename title as savedsearch_name | join savedsearch_name type=left [ | rest /servicesNS/-/-/data/ui/views splunk_server=local | table title eai:data eai:acl.app | rename "eai:data" as source | rex max_match=0 field=source "\<param\sname\=\"savedSearch\"\>(?<savedsearch_name>[^\<]+)" | rex max_match=0 field=source "searchname\"\:\s\"(?<savedsearch_name>[^\"]+)" | rex max_match=0 field=source "search\s*(id=\"\w+\")?\s*ref\=\"(?<savedsearch_name>[^\"]+)" | rex max_match=0 field=source "\<searchName\>(?<savedsearch_name>[^\<]+)" | search savedsearch_name=* | table title savedsearch_name | rename title as dashboard_name | mvexpand savedsearch_name ] | search NOT dashboard_name=*
thanks a lot 🙂