-1

I need to locate data that has become stale in our Splunk instance - so that I can remove it

I need a way to find all the dashboards, and sort them by usage. From the audit logs I've been able to find all the actively used logs, but as my goal is to remove data, I most need the dashboards not in use

any ideas?

stuck
  • 2,264
  • 2
  • 28
  • 62

1 Answers1

1

You can get a list of all dashboards using | rest /services/data/ui/views | search isDashboard=1. Try combining that with your search for active dashboards to get those that are not active.

| rest /services/data/ui/views | search isDashboard=1 NOT [<your audit search> | fields id | format]
RichG
  • 9,063
  • 2
  • 18
  • 29