Re: How to find dashboards not in use by the amoun...

mrsplunx · ‎06-11-2019

Hi guys

I need to find all dashboards not used in x days.
I saw this has already been asked in this forum but I can't post links.
The post can hopefully be found by its id 662975.
If not here are the suggestions on how to solve it.

1.

 index=_internal sourcetype=splunkd_ui_access method=post ui/views
   | table user, req_time, file 
   | rename file as dashboard req_time as editTime

2.

index=_internal user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" | bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time

The first query suggestion in that post gives me a table with user name and datetime and dashboard name.
The second query seems to present the same.

I need to query where count = 0.
Do you know how to do this?

Br

thambisetty · ‎05-19-2024

|rest /servicesNS/-/-/data/ui/views splunk_server=local  ``` Produces all views that are present in local searchhead ```
|  table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard```
|  rename eai:acl.* as * 
|  rex field=id ".*\/(?<dashboard>.*)$"
|  table app dashboard updated removable 
|  join type=left dashboard app 
    [search index=_audit ```earliest=<setasperyourneeds> host=<yoursearchhead>``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!=""
|  stats earliest(_time) as earliest_time latest(_time) as latest_time by  app provenance
|  convert ctime(*_time)
|  rex field=provenance ".*\:(?<dashboard>.*)$"
|  table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```]
|  where isnull(earliest_time) AND removable=1 ``` condition to return only dashboards that are not viewed ```
|  stats values(dashboard) as dashbaord by app

————————————
If this helps, give a like below.

Vijeta · ‎06-11-2019

@mrsplunx You can use below query and modify as per your need

|rest services/data/ui/views splunk_server=local |rename title as dashboard|join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
    | table user, req_time, file 
    | rename file as dashboard req_time as editTime]| where ISNULL(user)| table dashboard eai:acl.owner

Eze · ‎03-08-2021

This one worked for me thanks

mrsplunx · ‎06-12-2019

Hi
Just tried your suggestion.
req_time does not work. There is no column editTime
This query gives the same output:
|rest services/data/ui/views splunk_server=local |rename title as dashboard |join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, file
| rename file as dashboard] | where ISNULL(user)| table dashboard eai:acl.owner

You have "...as editTime" in your query.
Im looking for dashboards not visited in x days. Sorry if I was unclear.
And with your query I get pretty much the same hits when I query for last week and from january 2017 to today, which cannot be true.

How to find dashboards not in use by the amount of days?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)