topic Re: How do you monitor for when someone creates a new dashboard? in Dashboards & Visualizations

How do you monitor for when someone creates a new dashboard?

amirarsalan — Mon, 07 Jan 2019 10:40:18 GMT

Hi!

I need some help.

I want to create a dashboard that shows when someone adds a new dashboard in Splunk.

I have a search that only shows when people make changes, but I need it for when someone creates a new dashboard.

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
  | rex field=referer "/(?editx?m?l?)(\?|$)"
  | rex field=other "\s*?\-\s*(?[\S]+)\s*"
  | table _time user clientip sessionId edit_type file useragent
  | rename file as dashboard req_time as editTime

Re: How do you monitor for when someone creates a new dashboard?

skalliger — Tue, 08 Jan 2019 14:09:23 GMT

Take a look into

| rest /services/data/ui/views
| search isDashboard="1"

hope this helps for further SPL. 🙂

Skalli

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Tue, 29 Sep 2020 22:36:33 GMT

Thanks Skalli!

Do you have another search i can use for that. I'm trying but don't get any answers from that I might do something wrong. I'm a kinde of beginner of using splunk 🙂
Would i still use index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/

/Amir

Re: How do you monitor for when someone creates a new dashboard?

skalliger — Tue, 08 Jan 2019 14:34:54 GMT

A Splunk search starting with "| rest" has to be at the beginning of the search (or subsearch but let's keep it simple). So you would begin with

| rest /services/data/ui/views

and go from there.
You could continue with something like

| where isDashboard="1" AND isVisible="1"

You have different possibilities. Just call the API and take a look what fields are provided. For example, you could count the number of dashboards or take a look at the timestamps.

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 08:11:20 GMT

Okey because all our data comes in to the index=_internal so i thought that i should use that

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 08:23:08 GMT

I tried,
| rest /services/data/ui/views
| where isDashboard="1" AND isVisible="1"

Then i tried to create new dashboard to see if something showed up but nothing showed up

Re: How do you monitor for when someone creates a new dashboard?

dkeck — Wed, 09 Jan 2019 09:31:40 GMT

If you add | table title updated after running your search

new search:

| rest /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| table title updated

I can see my newly added dashboards.

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 10:08:21 GMT

I tried that, i can only see a punch of dashboard that was newly updated. I only want to see newly dashboard

Re: How do you monitor for when someone creates a new dashboard?

dkeck — Wed, 09 Jan 2019 10:49:47 GMT

Ok I see.

Please try :

| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()

You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 11:12:46 GMT

I tried it and i got respond this time with a lot of dashboards, then i tired to create a new dashboard but nothing showed up 😞

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Tue, 29 Sep 2020 22:40:34 GMT

With | where first_seen=now() i don't get any respons

Re: How do you monitor for when someone creates a new dashboard?

dkeck — Wed, 09 Jan 2019 11:58:50 GMT

Its normal that you get all dashboards on the fist time you enter the search ( for the search they are all new). Second time there should be no results, except you created a new one in between.

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 13:08:56 GMT

Aha then i understand, because i got results first time i run the search and not the second time.
But after that i created i new dashboard but still i did not get any results

Re: How do you monitor for when someone creates a new dashboard?

dkeck — Wed, 09 Jan 2019 13:11:16 GMT

in my test box it´s working.

Does the new dashboard show up in the rest call itself?
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"

Please perform the search step by step and try to figure out at which point your new dashboard can´t be found / is it wirtten to the lookup? etc.

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 13:54:28 GMT

I can only see my old dashboards

Re: How do you monitor for when someone creates a new dashboard?

dkeck — Wed, 09 Jan 2019 13:58:51 GMT

sounds more like a permission issue, the search is working

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Wed, 09 Jan 2019 14:51:06 GMT

I have superadmin, i can see other users dashboard when i use the search and my own dashboards but not the new ones i created

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Fri, 11 Jan 2019 14:29:52 GMT

Hi dkeck,

I found another search

| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName

Now i can see my all dashboards also my own.

Can you help me now with that search? I only want to see when some person create a new dashboard. My search shows all our dashboards

Re: How do you monitor for when someone creates a new dashboard?

niketn — Sun, 13 Jan 2019 18:09:54 GMT

@amirarsalan rest API is the key however, you would also need lookup file to compare with a dashboard inventory list. PS: while using rest api make sure you filter out results from specific app/s as per your needs (also other filters if applicable like specific user/specific dashboard naming convention, specific permissions etc)

Step 1: Run the above search once and pipe outputlookup for saving to a lookupfile as available dashboard inventory list lets say dashboards_inventory.csv.

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search isDashboard="1" AND isVisible="1"
| eval Check_Date = now() 
| stats last(Check_Date) as Check_Date by title eai:acl.app author
| outputlookup dashboards_inventory.csv

PS: This query would need to be run only once.

Step 2: Schedule an alert (based on frequency as per your use case, ideally daily once) to run above REST API and compare with available dashboard inventory list. This alert will take required alert action, like send out email or anything else as per your use case.

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search isDashboard="1" AND isVisible="1" NOT title IN 
    (
      [| inputlookup dashboards_inventory.csv 
       | fields title 
       | stats values(title) as title 
       | eval search ="\"".mvjoin(title,"\",\"")."\"" 
       | table search]
    )
| fields title label author eai:acl.app 
| eval Check_Date = now() 
| stats last(Check_Date) as Check_Date by title eai:acl.app author

Step 3: If there is any additional Dashboard trigger the alert and also trigger an append output to lookup Alert action to update existing available dashboard inventory list. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Alert/OutputToCSVLookup
Please try out and confirm if the approach works for you!

Re: How do you monitor for when someone creates a new dashboard?

amirarsalan — Mon, 14 Jan 2019 08:16:00 GMT

Hi!
I have this search| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName

How do i create an alert when someone creates a new dashboard. Can i use this search?