Solved: How to make a rest endpoint search to find dashboa...

taraksinha · ‎02-10-2016

Hi All,

How can I make a rest endpoint search to search for dashboards which are not in use or not even accessed for the last 2 months?

Thanks,

Tarak

somesoni2 · ‎02-11-2016

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

View solution in original post

somesoni2 · ‎02-11-2016

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

taraksinha · ‎02-15-2016

Getting error while ran above query.

"Unbalanced quotes."

taraksinha · ‎02-16-2016

It's Working....

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\""| search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

taraksinha · ‎02-11-2016

Hi Some,

Can be add date filed also in above query, So i can see date column in output and correlate dashboard which are not accessed in last 2 Months.

Thanks,

Tarak

taraksinha · ‎02-21-2016

Hi Team,

How can i add user field also in below query ?

index=_internal source=*access.log earliest=-2mon  */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>60 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

somesoni2 · ‎02-21-2016

There is a field user in the first search.

taraksinha · ‎02-21-2016

Hi Some,

I can get the output for owner, need to add user field in search query.

somesoni2 · ‎02-22-2016

Yes, explore the data coming from index=_interanl source=*access.log . It has a field user. Use that in the query (in stats) so that it's included in the result.

taraksinha · ‎02-17-2016

Hi Renjith/Soni,

The above query similar with my next question:-

I am looking for only search App (search AppName=search) associated with owner. And user who haven't accessed those object (such as reports, search, saved search and dashboard) since 60+ days.

Thanks,
Tarak

taraksinha · ‎02-17-2016

I need to add one more column for "user", similar like below query and nobody has beed accessed those object since 60 days. I hope you guys have better idea on this, Kindly reply me

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

taraksinha · ‎02-12-2016

Hello,

I tried to run this query but not seeing Dashboard name (such as dashboard name "Audio"),
I have 250+ Dashboards which names are showing in dashboards as a Title
Is it possible to add Dashboard Title and owner of dashboard name in this query?

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")

Thanks,
Tarak

taraksinha · ‎02-14-2016

can anyone help me on my above comment?

renjith_nair · ‎02-11-2016

Date field is part of your search LastAccessed . Just add |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") to your search for formatted output

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024