I'm looking for query where we can find users using the dashboards. The report I need is of users using XabAB_TBBBBB_Dashboard in Splunk Report Window, between the 20th August - Till Date.
But when I try to find it by using below query, it gives the wrong
results .Thanks in advance 🙂
index="_internal" sourcetype=splunkd_ui_access | rex "/app/(?[^/]+)/(?[^?/\s]+)" |stats values(user)
index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-")
|search sourcetype=splunk_web_access
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user
OR
index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)" -----> this is for extracting appname and viewname (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User
index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-")
|search sourcetype=splunk_web_access
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user
OR
index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)" -----> this is for extracting appname and viewname (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User
Thanks @nadlurinadluri ,
This worked in my case -
index=_internal source=*splunkd_ui_access.log uri="*" NOT (user="-")
| eval access_time =strftime(_time,"%b %d, %Y : %H:%M:%S")
| stats min(access_time) as "Firstaccess" max(access_time) as "lastaccess" by user
Glad it worked for you!! Can you accept it if you are satisfied with the answer 🙂
Accepted already @nadlurinadluri
Start from here
index=_internal sourcetype=web_access CLIENT_URL=*XabAB_TBBBBB_Dashboard* | stats values(USER) by CLIENT_URL
This works for me
index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-")
| stats count by user
Can we also get the LastAcess Time stamp there by all users using the report OR Dashboard?
Hi @splunk969,
try:
index="_internal" sourcetype=splunkd_ui_access | rex "\/app\/(?<app>[^\/]+)\/(?<dashboard>[^?\/\s]+)" | stats values(user) by dashboard
Dear @ pyro_wood ,
Thanks for answer.
This search that you provided gives wrong results .