_audit Archives -

Use this search to find unused dashboards:

| rest /servicesNS/-/-/data/ui/views splunk_server=* 
| search isDashboard=1 
| rename eai:acl.app as app 
| fields title app 
| join type=left title 
[| search index=_internal sourcetype=splunk_web_access host=* user=* 
| rex field=uri_path ".*/(?<title>[^/]*)$" 
| stats latest(_time) as Time latest(user) as user by title
] 
| where isnotnull(Time) 
| eval Now=now() 
| eval "Days since last accessed"=round((Now-Time)/86400,2) 
| sort - "Days since last accessed" 
| convert ctime(Time) 
| fields - Now

| rest /servicesNS/-/-/data/ui/views splunk_server=*

| search isDashboard=1

| rename eai:acl.app as app

| fields title app

| join type=left title

[| search index=_internal sourcetype=splunk_web_access host=* user=*

| rex field=uri_path ".*/(?<title>[^/]*)$"

| stats latest(_time) as Time latest(user) as user by title

]

| where isnotnull(Time)

| eval Now=now()

| eval "Days since last accessed"=round((Now-Time)/86400,2)

| sort - "Days since last accessed"

| convert ctime(Time)

| fields - Now

Admin Notes – Fantastic query! I modified the SPL slightly as I had an issue when I copied it to my two test environments.

Continue Reading →

Show Searches with Details (Who | When | What)

The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search What sourcetype was used What index was used What the search string was When the search was last ran

index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"
| rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))"
| rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" 
| rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)"
| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
| convert ctime(Latest)

index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"

| rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))"

| rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"

| rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)"

| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed

| convert ctime(Latest)

Continue Reading →

Sourcetype: _audit

Find unused dashboards

Show Searches with Details (Who | When | What)