Splunk Search
Highlighted

How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

Hi All,

How can I make a rest endpoint search to search for dashboards which are not in use or not even accessed for the last 2 months?

Thanks,

Tarak

0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

SplunkTrust
SplunkTrust

The REST endpoint doesn't give usage information. Try something like this:-

index=_internal source=*access.log */app/* | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20

By default _internal logs are only kept for 30 days so, your threshold for usage should be less data retention on the _internal index.

Updated
Adding LastAccessed (thanks to @renjith.nair) and owner of the dashboard.

index=_internal source=access.log /app/ | rex "\/app\/(?<AppName>\w+)\/(?<ViewName>\w+)\" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]

View solution in original post

Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

Hi Some,

Can be add date filed also in above query, So i can see date column in output and correlate dashboard which are not accessed in last 2 Months.

Thanks,

Tarak

0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

SplunkTrust
SplunkTrust

Date field is part of your search LastAccessed . Just add |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") to your search for formatted output

Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

Hello,

I tried to run this query but not seeing Dashboard name (such as dashboard name "Audio"),
I have 250+ Dashboards which names are showing in dashboards as a Title
Is it possible to add Dashboard Title and owner of dashboard name in this query?

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=* AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S")

Thanks,
Tarak

0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

can anyone help me on my above comment?

0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

Hi Renjith/Soni,

The above query similar with my next question:-

I am looking for only search App (search AppName=search) associated with owner. And user who haven't accessed those object (such as reports, search, saved search and dashboard) since 60+ days.

Thanks,
Tarak

0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

I need to add one more column for "user", similar like below query and nobody has beed accessed those object since 60 days. I hope you guys have better idea on this, Kindly reply me

index=_internal source=*access.log */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>20 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

New Member

Hi Team,

How can i add user field also in below query ?

index=_internal source=*access.log earliest=-2mon  */app/* | rex "\/app\/(?\w+)\/(?\w+)\"" | search AppName=search AND ViewName=* | stats max(_time) as LastAccessed by AppName, ViewName | eval age=now()-LastAccessed | where age>60 |eval Date=strftime(LastAccessed,"%d-%m-%Y %H:%M:%S") | join type=left ViewName  [| rest /servicesNS/-/-/data/ui/views | table author title | rename title as ViewName author as owner ]
0 Karma
Highlighted

Re: How to make a rest endpoint search to find dashboards that are not in use or have not been accessed for the last 2 months?

SplunkTrust
SplunkTrust

There is a field user in the first search.

0 Karma