Splunk Search

How to find dashboards not in use by the amount of days?

mrsplunx
New Member

Hi guys

I need to find all dashboards not used in x days.
I saw this has already been asked in this forum but I can't post links.
The post can hopefully be found by its id 662975.
If not here are the suggestions on how to solve it.

1.

 index=_internal sourcetype=splunkd_ui_access method=post ui/views
   | table user, req_time, file 
   | rename file as dashboard req_time as editTime

2.

index=_internal user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" | bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time

The first query suggestion in that post gives me a table with user name and datetime and dashboard name.
The second query seems to present the same.

I need to query where count = 0.
Do you know how to do this?

Br

0 Karma

Vijeta
Influencer

@mrsplunx You can use below query and modify as per your need

|rest services/data/ui/views splunk_server=local |rename title as dashboard|join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
    | table user, req_time, file 
    | rename file as dashboard req_time as editTime]| where ISNULL(user)| table dashboard eai:acl.owner

Eze
Engager

This one worked for me thanks

0 Karma

mrsplunx
New Member

Hi
Just tried your suggestion.
req_time does not work. There is no column editTime
This query gives the same output:
|rest services/data/ui/views splunk_server=local |rename title as dashboard |join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, file
| rename file as dashboard] | where ISNULL(user)| table dashboard eai:acl.owner

You have "...as editTime" in your query.
Im looking for dashboards not visited in x days. Sorry if I was unclear.
And with your query I get pretty much the same hits when I query for last week and from january 2017 to today, which cannot be true.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...