Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When was a Report last run?

gerrysr6
Explorer
‎12-19-2023 09:10 AM

Our system has a lot of Reports defined and I'm tasked with cleaning them up. The first thing I want to do is determine when each was last used. I found some searches that are supposed to help, but they are too old or something, results are invalid (e.g. I am getting back Alerts and Searches when I want only Reports).

Out of 199 Reports 7 are scheduled so I can guess when they ran last.

Can someone show me a search that returns Reports each with their last run date? 

thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...