Dashboard and App views by user

This Splunk query / search shows historical access to dashboards and apps on a local splunk server.

  1. lnogues

    should join on title & app, there is no “app” field in the first part of the query :)

    index=_internal sourcetype=splunk_web_access host=* user=*
    | rex field=uri_path “.*/(?[^/]*)$”
    | join title
    [| rest /servicesNS/-/-/data/ui/views splunk_server=*
    | search isDashboard=1 isVisible=1
    | rename eai:acl.app as app
    | fields title app ]
    | rename title as dashboard
    | stats count by _time user dashboard app host

