Solved: Re: Can you search for users who are using a dashb...

splunker969 · ‎08-29-2018

I'm looking for query where we can find users using the dashboards. The report I need is of users using XabAB_TBBBBB_Dashboard in Splunk Report Window, between the 20th August - Till Date.

But when I try to find it by using below query, it gives the wrong
results .Thanks in advance 🙂

index="_internal"  sourcetype=splunkd_ui_access | rex "/app/(?[^/]+)/(?[^?/\s]+)" |stats values(user)

nadlurinadluri · ‎08-31-2018

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user

OR

index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)"    -----> this is for extracting appname and viewname  (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User

View solution in original post

nadlurinadluri · ‎08-31-2018

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user

OR

index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)"    -----> this is for extracting appname and viewname  (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User

splunker969 · ‎09-04-2018

Thanks @nadlurinadluri ,

This worked in my case -

 index=_internal source=*splunkd_ui_access.log uri="*" NOT (user="-") 

| eval access_time =strftime(_time,"%b %d, %Y : %H:%M:%S") 
| stats min(access_time) as "Firstaccess" max(access_time) as "lastaccess" by user

nadlurinadluri · ‎09-04-2018

Glad it worked for you!! Can you accept it if you are satisfied with the answer 🙂

splunker969 · ‎09-05-2018

Accepted already @nadlurinadluri

pradeepkumarg · ‎08-30-2018

Start from here

index=_internal sourcetype=web_access CLIENT_URL=*XabAB_TBBBBB_Dashboard* | stats values(USER) by CLIENT_URL

splunker969 · ‎08-31-2018

This works for me

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
| stats count by user

Can we also get the LastAcess Time stamp there by all users using the report OR Dashboard?

horsefez · ‎08-29-2018

Hi @splunk969,

try:

index="_internal" sourcetype=splunkd_ui_access | rex "\/app\/(?<app>[^\/]+)\/(?<dashboard>[^?\/\s]+)" | stats values(user) by dashboard

splunker969 · ‎08-30-2018

Dear @ pyro_wood ,

Thanks for answer.

This search that you provided gives wrong results .

Can you search for users who are using a dashboard between certain dates?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor