Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Dashboard and App views by user

_internal

Description

Submitted by john117

This Splunk query / search shows historical access to dashboards and apps on a local splunk server.
8 0 
index=_internal sourcetype=splunk_web_access host=* user=*
| rex field=uri_path ".*/(?<title>[^/]*)$" 
| join title
[| rest /servicesNS/-/-/data/ui/views splunk_server=*
| search isDashboard=1 isVisible=1 
| rename eai:acl.app as app 
| fields title app ]
| rename title as dashboard
| stats count by _time user dashboard app host

Comments

3 total

LN
lnogues
3/14/2019

should join on title &amp; app, there is no \"app\" field in the first part of the query :)\r\n\r\nindex=_internal sourcetype=splunk_web_access host=* user=*\r\n| rex field=uri_path \".*/(?[^/]*)$\" \r\n| join title\r\n[| rest /servicesNS/-/-/data/ui/views splunk_server=*\r\n| search isDashboard=1 isVisible=1 \r\n| rename eai:acl.app as app \r\n| fields title app ]\r\n| rename title as dashboard\r\n| stats count by _time user dashboard app host

SP
SplunkNinja
3/22/2019

Inogues,\r\n\r\nAbsolutely! I'll edit this to fix it :)

SP
SplunkPanther
4/1/2020

This is GREAT!\r\n\r\nIs there a way to map the user to their email or name? Would that require another join of some sort?\r\n\r\nI looked into the base search and didn't see an email or name field.

Leave a comment

You must log in to post a comment.

Ad slot: bottom