---

@python wrote:

Can I also identify the owner and the last user who accessed the dashboard, as well as the exact date it was accessed?

---

Hi @python 

To achieve this you can use the following SPL:

index=_audit provenance=* app=* info=completed earliest=-60d provenance!="N/A" app!="N/A" provenance!="UI:Search" provenance!="Scheduler" 
| eval provenance=replace(replace(provenance,"UI:Dashboard:",""),"UI:dashboard:","") 
| stats latest(user) as last_user, latest(_time) as latest_access, dc(search_id) as searches by provenance, app
| append 
    [| rest /servicesNS/-/-/data/ui/views splunk_server=local count=0 
    | fields eai:acl.app title name eai:acl.owner isVisible 
    | rename eai:acl.app as app, title as provenance, eai:acl.owner as owner ] 
| stats values(*) as * by provenance, app 
| where searches>1 
| eval latest_access_readble=strftime(latest_access,"%Y-%m-%d %H:%M:%S")

🌟 Did this answer help you? If so, please consider:

• Adding kudos to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Hi @python 

Here is a search I use for this - I've added a 60d earliest on the audit events which is how far it will look back for searches on a particular dashboard (provenance) within a specific app.

index=_audit provenance=* app=* info=completed earliest=-60d 
| eval provenance=replace(replace(provenance,"UI:Dashboard:",""),"UI:dashboard:","") 
| append [| rest /servicesNS/-/-/data/ui/views splunk_server=local count=0 
| fields eai:acl.app label title eai:acl.owner isVisible 
| rename eai:acl.app as app, title as provenance, name as dashboard_id, eai:acl.owner as owner ]
| stats dc(search_id) as searches by provenance, app
| where searches=0

🌟 Did this answer help you? If so, please consider:

• Adding kudos to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

thambisetty has a great search for this at: https://community.splunk.com/t5/Splunk-Search/How-to-find-dashboards-not-in-use-by-the-amount-of-day...

Here it is, modified for your use case (find dashboards not viewed in the last 60 days)

| rest /servicesNS/-/-/data/ui/views splunk_server=local f=id f=updated f=eai:acl ``` Produces all views that are present in local searchhead ```
| table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard```
| rename eai:acl.* as * 
| rex field=id ".*\/(?<dashboard>.*)$" 
| table app dashboard updated removable 
| join type=left dashboard app 
    [ search index=_audit earliest=-60d ```Change this earliest= value if you want a different value than 60 days``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!="" 
    | stats earliest(_time) as earliest_time latest(_time) as latest_time by app provenance 
    | rex field=provenance ".*\:(?<dashboard>.*)$" 
    | table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```]
|  where removable=1 ``` condition to return only dashboards that are not viewed ``` 
    | stats values(dashboard) as dashboard by app