Re: How to find alerts and dashboards that were cr...

kteng2024 · ‎07-14-2017

Is there any way to find out the alerts and dashboards created like 5 months ago and with the respective user names?

adonio · ‎07-14-2017

hello there,
here is one solution leveraging the | rest endpoints and the "updated" field that they provide:
first one is for your views / dashboards.
code:

| rest /servicesNS/-/-/data/ui/views
| search eai:acl.app = *
| table title eai:acl.app eai:acl.owner updated
| eval updated_epoch = strptime('updated', "%Y-%m-%dT%H:%M:%S-%:z")
| eval now = now()
| where updated_epoch > now - 12960000
| sort - updated
| fields - now updated_epoch

the number 12960000 is approximately 5 months (in seconds) you can adjust as you wish
if you want to see all the saved items, change the first line in the code to this:

| rest /services/saved/searches

here is a sample screenshot. i created a dashboard couple of minutes ago to demonstrate it catches it. named it "transaction complete"

hope it helps

p.s. there are probably other ways to achieve what you are looking for. possibly in a better way too. also, you will probably want to filter the user = nobody items as i assume you are looking for views created by users and not by pre-built apps

How to find alerts and dashboards that were created a long time ago?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!