This Splunk query / search shows historical access to dashboards and apps on a local splunk server.
index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path ".*/(?<title>[^/]*)$" | join title [| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 isVisible=1 | rename eai:acl.app as app | fields title app ] | rename title as dashboard | stats count by _time user dashboard app host
should join on title & app, there is no “app” field in the first part of the query :)
index=_internal sourcetype=splunk_web_access host=* user=*
| rex field=uri_path “.*/(?[^/]*)$”
| join title
[| rest /servicesNS/-/-/data/ui/views splunk_server=*
| search isDashboard=1 isVisible=1
| rename eai:acl.app as app
| fields title app ]
| rename title as dashboard
| stats count by _time user dashboard app host
Inogues,
Absolutely! I’ll edit this to fix it :)
This is GREAT!
Is there a way to map the user to their email or name? Would that require another join of some sort?
I looked into the base search and didn’t see an email or name field.