Splunk Search
Highlighted

How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

New Member

Hi Team,

I ran the search below to find search Applications which are not accessed in last 2 months by anyone, but it's instead showing results from now (today's date) to the past 60 days. I only need to output applications that have never been accessed by anyone within the last 60 days.

Search:

index=_internal source=*access.log earliest=-60d  /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

SplunkTrust
SplunkTrust

The where clause of this search finds apps accessed at least 20 seconds ago, which is probably not what you want. Changing 20 to 5184000 will return those accessed at least 60 days ago.

That said, this search still only finds apps that were accessed 2 months ago. It does not identify those that have not been accessed since then. To do that, you will need a list of all apps from which you remove those which have been accessed in the last 60 days. You can get a list of all apps installed on your system using rest /services/apps/local.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

New Member

I tried to change age 20 to 5184000, but not showing any result, Can be add owner and user filed in this query?

0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

SplunkTrust
SplunkTrust

Just changing 20 to 5184000 is not enough. That makes the where clause match earliest and return no results. Even if earliest is changed, the search is still returning apps that were accessed at least 60 days ago rather than those not accessed in the last 60 days.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

New Member

will you give me similar query along with user and owner field?

0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

New Member

I need output for user who often or never accessed the AppName "search" more than 60 days with table such as user,Viewname,title,Appname,owner,Date,Last accessed.

0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

SplunkTrust
SplunkTrust

I'm not sure which query you mean. I see a user field in access.log, but not an owner field. It could be part of another field.
The REST query has an eai:acl.owner field, but no user field since it's a raw app list.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

New Member

I mean this below query, is it any command to add user and owner field ?

index=_internal source=*access.log earliest=-60d  /app/ | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")
0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

SplunkTrust
SplunkTrust

Just a reminder: index=_internal has a default retention time of 30 days - so you will not be able to find anything for days 31-60.

0 Karma
Highlighted

Re: How do I filter my search to only return search applications that have not been accessed by anyone in the last 60 days?

New Member

So any idea how can i approach this to get the result for 31-60 days?

0 Karma