All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

See User Activity by App and View

tnesavich_splun
Splunk Employee
Splunk Employee
‎06-04-2019 03:24 PM

Please see accepted answer below for search that shows what apps and views (dashboards in those apps) users are going to, by user app and view.

Please let me know if this is helpful or improvements you would suggest.

Thanks!

Tags (1)
Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

tnesavich_splun
Splunk Employee
Splunk Employee
‎06-05-2019 07:36 AM

Accepted Solution

   index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
    | stats count latest(_time) as ViewTime by user app view
    | sort -count
    | eventstats sum(count) as countByApp list(view) as view list(count) as count list(ViewTime) as ViewTime by user app
    | convert timeformat="%a %m/%d/%Y %I:%M:%S %p" ctime(ViewTime)
    | dedup app
    | appendpipe [stats sum(count) as count by user | eval view = "Total Views"]
    | sort + user -countByApp

One suggestion is to play with the table format to highlight the total views by user as per the screenshot below:
alt text

Here is an example of what your results might look like:
alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

tnesavich_splun
Splunk Employee
Splunk Employee
‎06-05-2019 07:36 AM

Accepted Solution

   index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
    | stats count latest(_time) as ViewTime by user app view
    | sort -count
    | eventstats sum(count) as countByApp list(view) as view list(count) as count list(ViewTime) as ViewTime by user app
    | convert timeformat="%a %m/%d/%Y %I:%M:%S %p" ctime(ViewTime)
    | dedup app
    | appendpipe [stats sum(count) as count by user | eval view = "Total Views"]
    | sort + user -countByApp

One suggestion is to play with the table format to highlight the total views by user as per the screenshot below:
alt text

Here is an example of what your results might look like:
alt text

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-05-2019 07:04 AM

Hi @tnesavich_splunk,
Please look for Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) to check the complete example of how to highlight some cell in the table with JS.

Hope this helps!!!

0 Karma
Reply
Solved! Jump to solution

alonsocaio
Contributor
‎06-05-2019 04:23 AM

Hi,

This is a very interesting query actually. A while ago I was looking exactly for something like that.

My suggestion would be to use

| dedup app, user

Instead of

| dedup app

This would allow you to see if more than one user accessed the same app. Like, If user A and user B accessed the search app in the last hour and you dedup by app, you will see just one user in your table. When you dedup by app and user you see both users listed, even if they used the same app.

Reply
Solved! Jump to solution

Smrtz
Engager
3 weeks ago

Confirming this still works as of Splunk Cloud v9.0.2

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...