Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When was a Report last run?

gerrysr6
Explorer
‎12-19-2023 09:10 AM

Our system has a lot of Reports defined and I'm tasked with cleaning them up. The first thing I want to do is determine when each was last used. I found some searches that are supposed to help, but they are too old or something, results are invalid (e.g. I am getting back Alerts and Searches when I want only Reports).

Out of 199 Reports 7 are scheduled so I can guess when they ran last.

Can someone show me a search that returns Reports each with their last run date? 

thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-19-2023 11:25 AM

I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after.

Example SPL:

 

index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
    | stats
        values(host) as hosts,
        latest(timestamp) as last_run_epoch
            by "desc.app", "desc.savedsearch_name"
    | eval
        days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
        duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
    | convert
        ctime(last_run_epoch) as last_run_timestamp

 

 

 

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...