Re: Looking for dashboards / Alerts not in use

npanda04 · ‎06-27-2023

Hi Team ,

Has anyone worked on finding out unused dashboards or alerts in Splunk .

Can you please assist me .

Thanks in Advance

richgalloway · ‎06-27-2023

You'd think there'd be a dashboard for this similar to the one for Orphaned KOs, but there isn't.

The solution is to create your own, first by building a list of all dashboards or alerts using a rest command.

| rest /servicesNS/-/-/data/ui/views splunk_server=local ```List all dashboards```

| rest /servicesNS/-/-/saved/searches splunk_server=local | search alert_type!="always" ``` List all alerts ```

Then crawl the access logs (index=_internal source=*access.log) sufficiently far back (up to 30 days) to find which dashboards or alerts where accessed. Then use a subsearch to find the difference between that and the list of all dashboards/alerts.

| rest splunk_server=local /servicesNS/-/-/data/ui/views | search NOT [index=_internal source=*access.log <<SPL to find the dashboard name>> | dedup <<dashboard name>> ]

---
If this reply helps you, Karma would be appreciated.

npanda04 · ‎06-28-2023

Thanks for your response @richgalloway . Let me try this out and check 🙂

isoutamo · ‎06-27-2023

Probably you need to extend retention period for _internal log from it’s default? Otherwise time period for searching from access.logs are quite short.

How would I look for dashboards/alerts not in use?

other

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...