https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61995#M12402 <P>I used this <BR /> index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart span=1d distinct_count(clienthost) by clienthost limit=100</P> <P>However sometimes i get users that did not log in, saying they did log in.</P> <P>I think it might be due to the DNS LP address changing..</P> Tue, 29 Sep 2020 16:37:24 GMT robertlynch2020 2020-09-29T16:37:24Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61991#M12398 <P>Is it possible to Monitor Spunk User activity of users using Splunk, based on Splunk internal Logs?</P> <P>If so What would be the best place to start monitoring?, if there was an already built Splunk App for this that would be a great advantage <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>If the above isnt possible, what would be the best alternative?</P> Tue, 29 May 2012 05:48:27 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61991#M12398 Dark_Ichigo 2012-05-29T05:48:27Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61992#M12399 <P>The <A href="http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk">Splunk on Splunk app</A> has some User Activity views.</P> <P>Furthermore you can search the "_audit" index :</P> <PRE><CODE>index=_audit | table _time user action info </CODE></PRE> <P>The "_internal" index also has some sources on which to do username analytics ie:searches.log</P> Tue, 29 May 2012 06:15:44 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61992#M12399 Damien_Dallimor 2012-05-29T06:15:44Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61993#M12400 <P>Thanks, This is almost exactly what I needed.</P> Wed, 30 May 2012 04:47:56 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61993#M12400 Dark_Ichigo 2012-05-30T04:47:56Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61994#M12401 <P>Hello,</P> <P>App S.O.S. (Splunk On Splunk) provides dashboards about that, furthermore, without any app, on right top menu, you have: Activity &gt; System Activity &gt; Search overview / details / user activity.</P> <P>Regards,</P> Thu, 21 May 2015 09:24:48 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61994#M12401 vince2010091 2015-05-21T09:24:48Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61995#M12402 <P>I used this <BR /> index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart span=1d distinct_count(clienthost) by clienthost limit=100</P> <P>However sometimes i get users that did not log in, saying they did log in.</P> <P>I think it might be due to the DNS LP address changing..</P> Tue, 29 Sep 2020 16:37:24 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61995#M12402 robertlynch2020 2020-09-29T16:37:24Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61996#M12403 <P>Dashboard of user activity. Note: you can optionally add your own host filters for the host/search head drop-down.</P> <PRE><CODE> &lt;form&gt; &lt;label&gt;Activity Audit&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="time" token="time" searchWhenChanged="true"&gt; &lt;label&gt;Time Range&lt;/label&gt; &lt;default&gt; &lt;earliest&gt;-60m@m&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/default&gt; &lt;/input&gt; &lt;input type="dropdown" token="host" searchWhenChanged="true"&gt; &lt;label&gt;Host (search head)&lt;/label&gt; &lt;choice value="*"&gt;All&lt;/choice&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="dropdown" token="action" searchWhenChanged="true"&gt; &lt;label&gt;Action&lt;/label&gt; &lt;choice value="*"&gt;All&lt;/choice&gt; &lt;fieldForLabel&gt;action&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;action&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ action=* | fields action | dedup action | table action | sort action&lt;/query&gt; &lt;earliest&gt;-7d@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="action_pattern" searchWhenChanged="true"&gt; &lt;label&gt;Action Pattern&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="dropdown" token="info_message" searchWhenChanged="true"&gt; &lt;label&gt;Info Message&lt;/label&gt; &lt;choice value="*"&gt;All&lt;/choice&gt; &lt;choice value="NULL"&gt;NULL&lt;/choice&gt; &lt;default&gt;*&lt;/default&gt; &lt;fieldForLabel&gt;info&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;info&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ action=* | fields info | dedup info | table info | sort info | search NOT info="app=*"&lt;/query&gt; &lt;earliest&gt;-30d@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;/input&gt; &lt;input type="text" token="info_message_pattern" searchWhenChanged="true"&gt; &lt;label&gt;Info Message Pattern&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="dropdown" token="user" searchWhenChanged="true"&gt; &lt;label&gt;User&lt;/label&gt; &lt;choice value="*"&gt;All&lt;/choice&gt; &lt;default&gt;*&lt;/default&gt; &lt;fieldForLabel&gt;user&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;user&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ action=* | fields user | dedup user | table user | sort user&lt;/query&gt; &lt;/search&gt; &lt;/input&gt; &lt;input type="text" token="user_pattern" searchWhenChanged="true"&gt; &lt;label&gt;User Pattern&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="user_list" searchWhenChanged="true"&gt; &lt;label&gt;User List (comma seperated)&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Current Time&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| makeresults | eval _time=now() | table _time&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="host"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Active User Accounts&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| rest /services/authentication/users splunk_server=local | table defaultApp id realname email roles type splunk_server capabilities | replace "*%40*" with "*@*" in id | rex field=id "/users/(?&amp;lt;user&amp;gt;.+)$" | table user realname email type roles splunk_server | search user="$user$" user="*$user_pattern$*" user IN ($user_list$)&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="host"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="info"&gt; &lt;colorPalette type="map"&gt;{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}&lt;/colorPalette&gt; &lt;/format&gt; &lt;format type="color" field="type"&gt; &lt;colorPalette type="map"&gt;{"SAML":#A2CC3E,"Splunk":#F7BC38}&lt;/colorPalette&gt; &lt;/format&gt; &lt;format type="color" field="roles"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="splunk_server"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Last Action&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ | fields _time user action info | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | sort -_time | dedup user | table _time user action info | sort user&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="host"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="info"&gt; &lt;colorPalette type="map"&gt;{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6,"NULL":#D1D1D1}&lt;/colorPalette&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Last Login Attempt&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ action="login attempt" | fields _time user action info | fillnull value=NULL | search info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | sort -_time | dedup user | table _time user action info | sort user&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="host"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="info"&gt; &lt;colorPalette type="map"&gt;{"succeeded":#79CA00,"failed":#D93F3C,"granted":#65A637,"completed":#A2CC3E,"canceled":#6DB7C6,"cancel":#6DB7C6,"denied":#D93F3C,"success":#B3E37D,"pause":#6DB7C6,"resume":#6DB7C6}&lt;/colorPalette&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Activity Timeline by Host&lt;/title&gt; &lt;chart&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ | fields _time user action info host | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | fields _time host | timechart count by host&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="charting.axisTitleY.visibility"&gt;collapsed&lt;/option&gt; &lt;option name="charting.chart"&gt;column&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;minmax&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;stacked&lt;/option&gt; &lt;option name="charting.drilldown"&gt;none&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;bottom&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Activity Timeline by User&lt;/title&gt; &lt;chart&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ | fields _time user action info user | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | fields _time user | timechart count by user&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="charting.axisTitleY.visibility"&gt;collapsed&lt;/option&gt; &lt;option name="charting.chart"&gt;column&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;minmax&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;stacked&lt;/option&gt; &lt;option name="charting.drilldown"&gt;none&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;bottom&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Activity Timeline by Action&lt;/title&gt; &lt;chart&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ | fields _time user action info | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | fields _time action | timechart count by action&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="charting.axisTitleY.visibility"&gt;collapsed&lt;/option&gt; &lt;option name="charting.chart"&gt;column&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;minmax&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;stacked&lt;/option&gt; &lt;option name="charting.drilldown"&gt;none&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;bottom&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Top Host&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ | fields user action info host | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | fields host | top host limit=1000&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="host"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Top Users&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ a | fields user action info | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | fields user | top user limit=1000&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Top Actions&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ | fields user action info | fillnull value=NULL | search action="*$action$" action="$action_pattern$*" info="$info_message$" info="*$info_message_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | fields action | top action limit=1000&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Top Actions by User and Host&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_audit sourcetype=audittrail host=$host$ action=$action$ action="*$action_pattern$*" user=$user$ user="*$user_pattern$*" user IN ($user_list$) | eval user_activity=host+"-"+user+"-"+action | top user_activity limit=1000&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;10&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;format type="color" field="user"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="action"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;format type="color" field="user_activity"&gt; &lt;colorPalette type="sharedList"&gt;&lt;/colorPalette&gt; &lt;scale type="sharedCategory"&gt;&lt;/scale&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> Thu, 23 May 2019 18:20:28 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61996#M12403 bandit 2019-05-23T18:20:28Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61997#M12404 <P>Error parsing XML on line 417: Premature end of data in tag form line 1</P> Thu, 23 May 2019 19:49:36 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61997#M12404 robertlynch2020 2019-05-23T19:49:36Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61998#M12405 <P>Thanks @robertlynch2020 - I've corrected the paste typo.</P> Fri, 24 May 2019 15:13:05 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/61998#M12405 bandit 2019-05-24T15:13:05Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/684945#M114284 <P data-unlink="true">Hello,<BR /><BR />I've used the upper example and it works just fine, but I have a small notice which I can't pass<BR />So might not be related to this subject, but as long as it is in this page..&nbsp;<BR />"<SPAN class="">This dashboard version is missing. Update the dashboard version in source."<BR /><BR />So raised question: Where should I add/insert the dashboard tags as outside form tags is not accepted and inside form tags is not accepted too. (Edit Dashboard -&gt; Source)<BR />Thank you&nbsp;&nbsp;</SPAN></P> Mon, 22 Apr 2024 06:52:13 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/684945#M114284 afk 2024-04-22T06:52:13Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/684946#M114285 <P>Replace</P><PRE>&lt;form&gt;</PRE><P>with</P><PRE>&lt;form version="1.1"&gt;</PRE><P>(optionally)</P><PRE>&lt;form version="1.1" theme="dark"&gt;</PRE> Mon, 22 Apr 2024 07:02:19 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-Monitor-Splunk-User-activity/m-p/684946#M114285 PickleRick 2024-04-22T07:02:19Z