How to find dashboards not in use by the amount of...

mrsplunx · ‎06-11-2019

Hi guys

I need to find all dashboards not used in x days.
I saw this has already been asked in this forum but I can't post links.
The post can hopefully be found by its id 662975.
If not here are the suggestions on how to solve it.

1.

 index=_internal sourcetype=splunkd_ui_access method=post ui/views
   | table user, req_time, file 
   | rename file as dashboard req_time as editTime

2.

index=_internal user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" | bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time

The first query suggestion in that post gives me a table with user name and datetime and dashboard name.
The second query seems to present the same.

I need to query where count = 0.
Do you know how to do this?

Br

thambisetty · ‎05-19-2024

|rest /servicesNS/-/-/data/ui/views splunk_server=local  ``` Produces all views that are present in local searchhead ```
|  table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard```
|  rename eai:acl.* as * 
|  rex field=id ".*\/(?<dashboard>.*)$"
|  table app dashboard updated removable 
|  join type=left dashboard app 
    [search index=_audit ```earliest=<setasperyourneeds> host=<yoursearchhead>``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!=""
|  stats earliest(_time) as earliest_time latest(_time) as latest_time by  app provenance
|  convert ctime(*_time)
|  rex field=provenance ".*\:(?<dashboard>.*)$"
|  table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```]
|  where isnull(earliest_time) AND removable=1 ``` condition to return only dashboards that are not viewed ```
|  stats values(dashboard) as dashbaord by app

————————————
If this helps, give a like below.

Vijeta · ‎06-11-2019

@mrsplunx You can use below query and modify as per your need

|rest services/data/ui/views splunk_server=local |rename title as dashboard|join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
    | table user, req_time, file 
    | rename file as dashboard req_time as editTime]| where ISNULL(user)| table dashboard eai:acl.owner

Eze · ‎03-08-2021

This one worked for me thanks

mrsplunx · ‎06-12-2019

Hi
Just tried your suggestion.
req_time does not work. There is no column editTime
This query gives the same output:
|rest services/data/ui/views splunk_server=local |rename title as dashboard |join type=outer dashboard[|search index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, file
| rename file as dashboard] | where ISNULL(user)| table dashboard eai:acl.owner

You have "...as editTime" in your query.
Im looking for dashboards not visited in x days. Sorry if I was unclear.
And with your query I get pretty much the same hits when I query for last week and from january 2017 to today, which cannot be true.

How to find dashboards not in use by the amount of days?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?