Splunk Search

How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

taraksinha
New Member

Hi All,

How can I make a rest endpoint search to search for dashboards which are not in use or not even accessed for the last 2 months?

Thanks,

Tarak

0 Karma
1 Solution

somesoni2
Revered Legend

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

View solution in original post

somesoni2
Revered Legend

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

taraksinha
New Member

Getting error while ran above query.

"Unbalanced quotes."

0 Karma

taraksinha
New Member

It's Working....

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\""| search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma

taraksinha
New Member

Hi Some,

Can be add date filed also in above query, So i can see date column in output and correlate dashboard which are not accessed in last 2 Months.

Thanks,

Tarak

0 Karma

taraksinha
New Member

Hi Team,

How can i add user field also in below query ?

index=_internal source=*access.log earliest=-2mon  */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>60 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma

somesoni2
Revered Legend

There is a field user in the first search.

0 Karma

taraksinha
New Member

Hi Some,

I can get the output for owner, need to add user field in search query.

0 Karma

somesoni2
Revered Legend

Yes, explore the data coming from index=_interanl source=*access.log . It has a field user. Use that in the query (in stats) so that it's included in the result.

0 Karma

taraksinha
New Member

Hi Renjith/Soni,

The above query similar with my next question:-

I am looking for only search App (search AppName=search) associated with owner. And user who haven't accessed those object (such as reports, search, saved search and dashboard) since 60+ days.

Thanks,
Tarak

0 Karma

taraksinha
New Member

I need to add one more column for "user", similar like below query and nobody has beed accessed those object since 60 days. I hope you guys have better idea on this, Kindly reply me

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma

taraksinha
New Member

Hello,

I tried to run this query but not seeing Dashboard name (such as dashboard name "Audio"),
I have 250+ Dashboards which names are showing in dashboards as a Title
Is it possible to add Dashboard Title and owner of dashboard name in this query?

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")

Thanks,
Tarak

0 Karma

taraksinha
New Member

can anyone help me on my above comment?

0 Karma

renjith_nair
Legend

Date field is part of your search LastAccessed . Just add |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") to your search for formatted output

---
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...