Dashboards & Visualizations

How to eliminate old reports and dashboards?

New Member

Hi All,

I would like to eliminate old reports and dashboard and I am new to using Splunk, Looking for old reports and dashboards which were not accessed in the last two months. If you have any solution regarding this, please reply. Thanks in advance.

0 Karma

Explorer

I know this question is old but I had a similar question and wasn't able to find an answer. This search will find dashboards that haven't been accessed in more than 60 days.

| rest /servicesNS/-/-/data/ui/views splunk_server=* 
| search eai:acl.app!="search" AND eai:acl.app!="splunk_management_console" AND eai:acl.app!="splunk_monitoring_console" AND isDashboard=1 
| rename eai:acl.app AS app 
| fields title app author 
| join type=left title 
    [| search index=_internal sourcetype=splunk_web_access host=* user=* 
    | rex field=uri_path ".*/(?<title>[^/]*)$" 
    | stats latest(_time) as Time latest(user) as user by title] 
| where isnotnull(Time) 
| eval Now=now() 
| eval days=round((Now-Time)/86400,2) 
| sort - days 
| convert ctime(Time) 
| table app title days Time user author 
| fields - Now 
| search days > 60 
| rename days AS "Days since last accessed"

Run it over the last 90 days.

If your log retention is set at the default 30 days, look at pgreer's answer above.

0 Karma

SplunkTrust
SplunkTrust

This one has one down side; Splunk keeps the internal logs by default only for 30 days. One needs to change the retention first to be able to run this search over 90 days.

cheers, MuS

Explorer

I completely forgot about this. Thanks for calling it out 🙂

0 Karma

Splunk Employee
Splunk Employee

I dug around some more - wondering if this will provide you with what you're looking for as well.

Create a lookup table of all saved searches:

|rest /servicesNS/-/-/data/ui/views splunk_server=local | rename eai:* as * |rename acl.* as * | search isVisible=1| fields title data| stats [| rest /servicesNS/-/-/saved/searches/ splunk_server=local | search is_scheduled=1 | dedup title | fields title | eval savedSearch="count(eval(like(data,\"%".title."%\"))) AS \"".title."\"" | stats values(savedSearch) AS savedSearch | nomv savedSearch| return $savedSearch]| transpose | rename column AS savedsearch_name "row 1" AS countOfTimesFoundInDashboards | fields savedsearch_name | sort savedsearch_name | outputlookup savedsearches.csv

Create a lookup table of all searches that have occurred within a time period set (I tested with last 30 days)

index=_audit action=search savedsearch_name!="" | fields savedsearch_name | dedup savedsearch_name | table savedsearch_name | sort savedsearch_name | outputlookup last30_savedsearches.csv

Then compare the two tables to show searches that are in the saved search list that are not in the last30 days list:

|set diff [inputlookup last30_savedsearches.csv | fields savedsearch_name] [inputlookup savedsearches.csv| fields savedsearch_name] | sort savedsearch_name

Using the lookup tables, I found, was just a little more simple than having a huge '|set diff [search1] [search2]' single statement. Plus it leaves you with a nice inventory of your saved searches and those run in the last 30 days for reference for other plausible purposes.

The same approach could be used for dashboards, but you'd need to use different sources for finding all the saved dashboards (via the rest command), then use the web_access.log* entries in _internal to find those unique dashboards that had been accessed within the past 30 days.

Splunk Employee
Splunk Employee

Here's a possibility that may get you started.

index=_internal source=*web_access.log* | search "/app/" |rex "^(?:[^:\n]*:){5}\d+/\w+\-\w+/\w+/(?P<app>\w+)/(?P<view>\w+)"

The above extracts the events and apps and what was viewed on them through the GUI. You can table it and throw it into a lookup possibly to give you a list of apps and views that people have used over the time range.

Then you could use the '| rest ' command to find all dashboards, reports, etc.

| rest /servicesNS/-/-/data/ui/views | search isVisible=1 isDashboard=1

For instance the above shows the dashboards on your instance.

| rest /services/saved/searches | search is_visible=1

The above shows your saved searches.

0 Karma

New Member

Hi Pgreer,

Thanks to reply that above query, but I am looking for the reports which are not access/view from past 60 days and want to filter my result with Field Title, Author (who created item), User (who access/view the item), Date (when it was access), similar like below example.

AppName ViewName Date owner user

search g2arsosdistribution 28/01/2016 christophs alexanders2

Thanks,

0 Karma

Path Finder

Hi taraksinha,
it seems to be like answered question. see this link once it may useful for you
https://answers.splunk.com/answers/216934/where-do-i-editdelete-reports-in-splunk-app-for-wi.html

0 Karma

New Member

Hi Umesh,

I can see all the reports and dashboard in "Searches, reports, and alerts panel", But actually i want to filter all the reports and dashboard which haven't accessed since last 2 months. So i can delete or disable the reports and dashboard accordingly. if you have any idea so please let me know, Thanks umesh to reply me.

Regards,
Tarak

0 Karma

New Member

Any search query to find unused reports and dashboard? Kindly reply me

Thanks,

0 Karma