Hi guys
I need to find all dashboards not used in x days.
I saw this has already been asked in this forum but I can't post links.
The post can hopefully be found by its id 662975.
If not here are the suggestions on how to solve it.
1.
index=_internal sourcetype=splunkd_ui_access method=post ui/views
| table user, req_time, file
| rename file as dashboard req_time as editTime
2.
index=_internal user!="-" sourcetype=splunkd_ui_access "en-US/app" | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" | bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
The first query suggestion in that post gives me a table with user name and datetime and dashboard name.
The second query seems to present the same.
I need to query where count = 0.
Do you know how to do this?
Br
... View more