https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419889#M9960 <P>Current:<BR /> <CODE>index=_audit user!="splunk-system-user" user!="n/a" user!="MYUSER" user!=testuser* (action="login attempt") OR (search!="" search_id!="'scheduler*" search_id!="scheduler*" search_id!="'subsearch*") | sort - _time | table user host action info search _time</CODE></P> <P>Works well, but many times searches are similar across dashboards and I can't easily tell what dashboard my users are using. Is it possible to add dashboard_name to these alerts? I don't see it anywhere in the _raw for these events in _audit. Currently the only solution I can think of is to mod every back-end search (probably a hundred of them across all my dashboards) with the dashboard name so it can be rexed out... obviously that's an incredibly inelegant approach</P> Thu, 18 Apr 2019 22:18:16 GMT nick405060 2019-04-18T22:18:16Z https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419889#M9960 <P>Current:<BR /> <CODE>index=_audit user!="splunk-system-user" user!="n/a" user!="MYUSER" user!=testuser* (action="login attempt") OR (search!="" search_id!="'scheduler*" search_id!="scheduler*" search_id!="'subsearch*") | sort - _time | table user host action info search _time</CODE></P> <P>Works well, but many times searches are similar across dashboards and I can't easily tell what dashboard my users are using. Is it possible to add dashboard_name to these alerts? I don't see it anywhere in the _raw for these events in _audit. Currently the only solution I can think of is to mod every back-end search (probably a hundred of them across all my dashboards) with the dashboard name so it can be rexed out... obviously that's an incredibly inelegant approach</P> Thu, 18 Apr 2019 22:18:16 GMT https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419889#M9960 nick405060 2019-04-18T22:18:16Z https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419890#M9961 <P>Hi</P> <P>for dashboard usage activity </P> <P>Please use this search, the results also gives user name as well <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6920i1E70CF51CF2F0628/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>in the above search "my_test" is dashboard's name which you see in URL when you open the dashboard.</P> <P>Thanks</P> Fri, 19 Apr 2019 00:13:44 GMT https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419890#M9961 PowerPacked 2019-04-19T00:13:44Z https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419891#M9962 <P>GREAT. I modded it to make a bit more usable/readable, and added it to my _audit search, to make my overall user_activity alert be:</P> <PRE><CODE>(index=_internal sourcetype=splunkd_ui_access uri_path="/en-US/app*") OR (index=_audit AND action="login attempt" OR (search!="" search_id!="'scheduler*" search_id!="scheduler*" search_id!="'subsearch*")) user!="splunk-system-user" user!="n/a" user!="ME" user!=testuser* | eval sortable_time=_time | eval time=strftime(sortable_time,"%Y-%m-%d %H:%M:%S") | streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time user action info search clientip uri_path file earliest latest form_* | fields - _raw form_message_id form_remote_search_tok </CODE></PRE> Wed, 30 Sep 2020 00:12:32 GMT https://community.splunk.com/t5/Security/Can-I-get-Splunk-user-activity-alerts-that-include-dashboard/m-p/419891#M9962 nick405060 2020-09-30T00:12:32Z