Hi Team,
I ran the search below to find search Applications which are not accessed in last 2 months by anyone, but it's instead showing results from now (today's date) to the past 60 days. I only need to output applications that have never been accessed by anyone within the last 60 days.
Search:
index=_internal source=*access.log earliest=-60d /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
The where
clause of this search finds apps accessed at least 20 seconds ago, which is probably not what you want. Changing 20 to 5184000 will return those accessed at least 60 days ago.
That said, this search still only finds apps that were accessed 2 months ago. It does not identify those that have not been accessed since then. To do that, you will need a list of all apps from which you remove those which have been accessed in the last 60 days. You can get a list of all apps installed on your system using rest /services/apps/local
.
I tried to change age 20 to 5184000, but not showing any result, Can be add owner and user filed in this query?
Just changing 20 to 5184000 is not enough. That makes the where
clause match earliest
and return no results. Even if earliest
is changed, the search is still returning apps that were accessed at least 60 days ago rather than those not accessed in the last 60 days.
will you give me similar query along with user and owner field?
I'm not sure which query you mean. I see a user field in access.log, but not an owner field. It could be part of another field.
The REST query has an eai:acl.owner field, but no user field since it's a raw app list.
I mean this below query, is it any command to add user and owner field ?
index=_internal source=*access.log earliest=-60d /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
Just a reminder: index=_internal
has a default retention time of 30 days - so you will not be able to find anything for days 31-60.
So any idea how can i approach this to get the result for 31-60 days?
I need output for user who often or never accessed the App_Name "search" more than 60 days with table such as user,Viewname,title,App_name,owner,Date,Last accessed.