Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When was a Report last run?

gerrysr6
Explorer
‎12-19-2023 09:10 AM

Our system has a lot of Reports defined and I'm tasked with cleaning them up. The first thing I want to do is determine when each was last used. I found some searches that are supposed to help, but they are too old or something, results are invalid (e.g. I am getting back Alerts and Searches when I want only Reports).

Out of 199 Reports 7 are scheduled so I can guess when they ran last.

Can someone show me a search that returns Reports each with their last run date? 

thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...