Splunk Search

How to find alerts and dashboards that were created a long time ago?

Path Finder

Is there any way to find out the alerts and dashboards created like 5 months ago and with the respective user names?

0 Karma

SplunkTrust
SplunkTrust

hello there,
here is one solution leveraging the | rest endpoints and the "updated" field that they provide:
first one is for your views / dashboards.
code:

| rest /servicesNS/-/-/data/ui/views
| search eai:acl.app = *
| table title eai:acl.app eai:acl.owner updated
| eval updated_epoch = strptime('updated', "%Y-%m-%dT%H:%M:%S-%:z")
| eval now = now()
| where updated_epoch > now - 12960000
| sort - updated
| fields - now updated_epoch

the number 12960000 is approximately 5 months (in seconds) you can adjust as you wish
if you want to see all the saved items, change the first line in the code to this:

| rest /services/saved/searches

here is a sample screenshot. i created a dashboard couple of minutes ago to demonstrate it catches it. named it "transaction complete"
alt text

hope it helps

p.s. there are probably other ways to achieve what you are looking for. possibly in a better way too. also, you will probably want to filter the user = nobody items as i assume you are looking for views created by users and not by pre-built apps

0 Karma