Solved: Re: Can you search for users who are using a dashb...

splunker969 · ‎08-29-2018

I'm looking for query where we can find users using the dashboards. The report I need is of users using XabAB_TBBBBB_Dashboard in Splunk Report Window, between the 20th August - Till Date.

But when I try to find it by using below query, it gives the wrong
results .Thanks in advance 🙂

index="_internal"  sourcetype=splunkd_ui_access | rex "/app/(?[^/]+)/(?[^?/\s]+)" |stats values(user)

nadlurinadluri · ‎08-31-2018

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user

OR

index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)"    -----> this is for extracting appname and viewname  (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User

View solution in original post

nadlurinadluri · ‎08-31-2018

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user

OR

index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)"    -----> this is for extracting appname and viewname  (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User

splunker969 · ‎09-04-2018

Thanks @nadlurinadluri ,

This worked in my case -

 index=_internal source=*splunkd_ui_access.log uri="*" NOT (user="-") 

| eval access_time =strftime(_time,"%b %d, %Y : %H:%M:%S") 
| stats min(access_time) as "Firstaccess" max(access_time) as "lastaccess" by user

nadlurinadluri · ‎09-04-2018

Glad it worked for you!! Can you accept it if you are satisfied with the answer 🙂

splunker969 · ‎09-05-2018

Accepted already @nadlurinadluri

pradeepkumarg · ‎08-30-2018

Start from here

index=_internal sourcetype=web_access CLIENT_URL=*XabAB_TBBBBB_Dashboard* | stats values(USER) by CLIENT_URL

splunker969 · ‎08-31-2018

This works for me

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
| stats count by user

Can we also get the LastAcess Time stamp there by all users using the report OR Dashboard?

horsefez · ‎08-29-2018

Hi @splunk969,

try:

index="_internal" sourcetype=splunkd_ui_access | rex "\/app\/(?<app>[^\/]+)\/(?<dashboard>[^?\/\s]+)" | stats values(user) by dashboard

splunker969 · ‎08-30-2018

Dear @ pyro_wood ,

Thanks for answer.

This search that you provided gives wrong results .

Can you search for users who are using a dashboard between certain dates?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation