All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Top usernames

ajstokvis
New Member
‎10-20-2011 09:07 AM

Hello,

How can i add a colum on the traffic dashboard just like Top client IP's, but then with the Top Usernames?

It may replace one of the other colums, but its not necessary

Is this possible? If yes, how?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-20-2011 12:01 PM

Absolutely.

First of all, create a saved search that you can use in the dashboard. For reference, the saved search used for the Top 10 IP chart is called "Top 10 client IPs" and is as simple as:

sourcetype="squid" action="*" | top 10 clientip

Second, edit the dashboard XML. It's in the file SplunkforSquid/default/data/ui/views/dashboard.xml. In there you'll see a number of a number of sections beginning with HiddenSavedSearch modules. This is the one for the top client IP's:

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="Top client IPs" autoRun="True">
  <param name="useHistory">false</param>
  <param name="savedSearch">Top 10 client IPs</param>
  <module name="EnablePreview">
   <param name="enable">true</param>
   <param name="display">false</param>
   <module name="HiddenChartFormatter">
    <param name="chart">pie</param>
    <module name="FlashChart">
     <param name="height">300px</param>
     <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
      <param name="label">View full results</param>
     </module>
    </module>
   </module>
  </module>
 </module>

You can either simply change this section and switch the savedSearch name for the one you created for getting top usernames (and probably change the group name to get the correct label as well), or you can duplicate it if you want both charts in your dashboard. If you duplicate the section, make sure to update the layoutPanel to get the chart where you want.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-20-2011 12:01 PM

Absolutely.

First of all, create a saved search that you can use in the dashboard. For reference, the saved search used for the Top 10 IP chart is called "Top 10 client IPs" and is as simple as:

sourcetype="squid" action="*" | top 10 clientip

Second, edit the dashboard XML. It's in the file SplunkforSquid/default/data/ui/views/dashboard.xml. In there you'll see a number of a number of sections beginning with HiddenSavedSearch modules. This is the one for the top client IP's:

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="Top client IPs" autoRun="True">
  <param name="useHistory">false</param>
  <param name="savedSearch">Top 10 client IPs</param>
  <module name="EnablePreview">
   <param name="enable">true</param>
   <param name="display">false</param>
   <module name="HiddenChartFormatter">
    <param name="chart">pie</param>
    <module name="FlashChart">
     <param name="height">300px</param>
     <module name="ViewRedirectorLink">
      <param name="viewTarget">flashtimeline</param>
      <param name="label">View full results</param>
     </module>
    </module>
   </module>
  </module>
 </module>

You can either simply change this section and switch the savedSearch name for the one you created for getting top usernames (and probably change the group name to get the correct label as well), or you can duplicate it if you want both charts in your dashboard. If you duplicate the section, make sure to update the layoutPanel to get the chart where you want.

Reply
Solved! Jump to solution

ajstokvis
New Member
‎10-24-2011 07:09 AM

Works again!!!

I might come with more questions in the future! 😉

Realy happy with this

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-24-2011 07:02 AM

Sure, just filter out the user in your saved search. Something like this:

 search = sourcetype="squid" action="*" NOT username="theuser" | top 10 username

Great to hear that it's working and that it's useful! 🙂
Could you please mark my answer as accepted? That way it shows clearly on the site that this question got a valid answer.

0 Karma
Reply
Solved! Jump to solution

ajstokvis
New Member
‎10-24-2011 06:53 AM

Thank you very much!!
It works realy nice.

I have another question, is it possible to filter out one user?

I have 1 user that i dont want to see in the chart.
Can i make an exception for that user so that it dont show up in the chart?

Thank you very much for this, splunkforsquid is what i have been looking for a long time!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...