All Apps and Add-ons

See User Activity by App and View

tnesavich_splun
Splunk Employee
Splunk Employee

Please see accepted answer below for search that shows what apps and views (dashboards in those apps) users are going to, by user app and view.

Please let me know if this is helpful or improvements you would suggest.

Thanks!

Tags (1)
1 Solution

tnesavich_splun
Splunk Employee
Splunk Employee

Accepted Solution

   index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
    | stats count latest(_time) as ViewTime by user app view
    | sort -count
    | eventstats sum(count) as countByApp list(view) as view list(count) as count list(ViewTime) as ViewTime by user app
    | convert timeformat="%a %m/%d/%Y %I:%M:%S %p" ctime(ViewTime)
    | dedup app
    | appendpipe [stats sum(count) as count by user | eval view = "Total Views"]
    | sort + user -countByApp

One suggestion is to play with the table format to highlight the total views by user as per the screenshot below:
alt text

Here is an example of what your results might look like:
alt text

View solution in original post

tnesavich_splun
Splunk Employee
Splunk Employee

Accepted Solution

   index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
    | stats count latest(_time) as ViewTime by user app view
    | sort -count
    | eventstats sum(count) as countByApp list(view) as view list(count) as count list(ViewTime) as ViewTime by user app
    | convert timeformat="%a %m/%d/%Y %I:%M:%S %p" ctime(ViewTime)
    | dedup app
    | appendpipe [stats sum(count) as count by user | eval view = "Total Views"]
    | sort + user -countByApp

One suggestion is to play with the table format to highlight the total views by user as per the screenshot below:
alt text

Here is an example of what your results might look like:
alt text

VatsalJagani
SplunkTrust
SplunkTrust

Hi @tnesavich_splunk,
Please look for Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) to check the complete example of how to highlight some cell in the table with JS.

Hope this helps!!!

0 Karma

alonsocaio
Contributor

Hi,

This is a very interesting query actually. A while ago I was looking exactly for something like that.

My suggestion would be to use

| dedup app, user

Instead of

| dedup app

This would allow you to see if more than one user accessed the same app. Like, If user A and user B accessed the search app in the last hour and you dedup by app, you will see just one user in your table. When you dedup by app and user you see both users listed, even if they used the same app.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...