Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I look for dashboards/alerts not in use?

npanda04
New Member
‎06-27-2023 03:43 AM

Hi Team ,

 

Has anyone worked on finding out unused dashboards or alerts in Splunk .

Can you please assist me .

Thanks in Advance

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2023 06:55 AM

You'd think there'd be a dashboard for this similar to the one for Orphaned KOs, but there isn't.

The solution is to create your own, first by building a list of all dashboards or alerts using a rest command.

| rest /servicesNS/-/-/data/ui/views splunk_server=local ```List all dashboards```

| rest /servicesNS/-/-/saved/searches splunk_server=local | search alert_type!="always" ``` List all alerts ```

Then crawl the access logs (index=_internal source=*access.log) sufficiently far back (up to 30 days) to find which dashboards or alerts where accessed.  Then use a subsearch to find the difference between  that and the list of all dashboards/alerts.

| rest splunk_server=local /servicesNS/-/-/data/ui/views | search NOT [index=_internal source=*access.log <<SPL to find the dashboard name>> | dedup <<dashboard name>> ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

npanda04
New Member
‎06-28-2023 07:04 AM

Thanks for your response @richgalloway . Let me try this out and check 🙂

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 12:06 PM
Probably you need to extend retention period for _internal log from it’s default? Otherwise time period for searching from access.logs are quite short.
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...