- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find dashboards not in use by the amount of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find dashboards not in use by the amount of days?
Hi guys
I need to find all dashboards not used in x days.
I saw this has already been asked in this forum but I can't post links.
The post can hopefully be found by its id 662975.
If not here are the suggestions on how to solve it.
1.
index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, req_time, file
| rename file as dashboard req_time as editTime
2.
index=_internal user!="-" sourcetype=splunkd_ui_access "en-US/app" | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" | bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
The first query suggestion in that post gives me a table with user name and datetime and dashboard name.
The second query seems to present the same.
I need to query where count = 0.
Do you know how to do this?
Br
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mrsplunx You can use below query and modify as per your need
|rest services/data/ui/views splunk_server=local |rename title as dashboard|join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, req_time, file
| rename file as dashboard req_time as editTime]| where ISNULL(user)| table dashboard eai:acl.owner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This one worked for me thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Just tried your suggestion.
req_time does not work. There is no column editTime
This query gives the same output:
|rest services/data/ui/views splunk_server=local |rename title as dashboard |join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, file
| rename file as dashboard] | where ISNULL(user)| table dashboard eai:acl.owner
You have "...as editTime" in your query.
Im looking for dashboards not visited in x days. Sorry if I was unclear.
And with your query I get pretty much the same hits when I query for last week and from january 2017 to today, which cannot be true.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
