Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When was a Report last run?

gerrysr6
Explorer
‎12-19-2023 09:10 AM

Our system has a lot of Reports defined and I'm tasked with cleaning them up. The first thing I want to do is determine when each was last used. I found some searches that are supposed to help, but they are too old or something, results are invalid (e.g. I am getting back Alerts and Searches when I want only Reports).

Out of 199 Reports 7 are scheduled so I can guess when they ran last.

Can someone show me a search that returns Reports each with their last run date? 

thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...