Splunk Search

How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

taraksinha
New Member

Hi Team,

I ran the search below to find search Applications which are not accessed in last 2 months by anyone, but it's instead showing results from now (today's date) to the past 60 days. I only need to output applications that have never been accessed by anyone within the last 60 days.

Search:

index=_internal source=*access.log earliest=-60d  /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where clause of this search finds apps accessed at least 20 seconds ago, which is probably not what you want. Changing 20 to 5184000 will return those accessed at least 60 days ago.

That said, this search still only finds apps that were accessed 2 months ago. It does not identify those that have not been accessed since then. To do that, you will need a list of all apps from which you remove those which have been accessed in the last 60 days. You can get a list of all apps installed on your system using rest /services/apps/local.

---
If this reply helps you, Karma would be appreciated.
0 Karma

taraksinha
New Member

I tried to change age 20 to 5184000, but not showing any result, Can be add owner and user filed in this query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Just changing 20 to 5184000 is not enough. That makes the where clause match earliest and return no results. Even if earliest is changed, the search is still returning apps that were accessed at least 60 days ago rather than those not accessed in the last 60 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma

taraksinha
New Member

will you give me similar query along with user and owner field?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure which query you mean. I see a user field in access.log, but not an owner field. It could be part of another field.
The REST query has an eai:acl.owner field, but no user field since it's a raw app list.

---
If this reply helps you, Karma would be appreciated.
0 Karma

taraksinha
New Member

I mean this below query, is it any command to add user and owner field ?

index=_internal source=*access.log earliest=-60d  /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
0 Karma

MuS
Legend

Just a reminder: index=_internal has a default retention time of 30 days - so you will not be able to find anything for days 31-60.

0 Karma

taraksinha
New Member

So any idea how can i approach this to get the result for 31-60 days?

0 Karma

taraksinha
New Member

I need output for user who often or never accessed the App_Name "search" more than 60 days with table such as user,Viewname,title,App_name,owner,Date,Last accessed.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...