Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When was a Report last run?

gerrysr6
Explorer
‎12-19-2023 09:10 AM

Our system has a lot of Reports defined and I'm tasked with cleaning them up. The first thing I want to do is determine when each was last used. I found some searches that are supposed to help, but they are too old or something, results are invalid (e.g. I am getting back Alerts and Searches when I want only Reports).

Out of 199 Reports 7 are scheduled so I can guess when they ran last.

Can someone show me a search that returns Reports each with their last run date? 

thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...