Dashboards & Visualizations
Highlighted

Can you search for users who are using a dashboard between certain dates?

Communicator

I'm looking for query where we can find users using the dashboards. The report I need is of users using XabABTBBBBBDashboard in Splunk Report Window, between the 20th August - Till Date.

But when I try to find it by using below query, it gives the wrong
results .Thanks in advance 🙂

index="_internal"  sourcetype=splunkd_ui_access | rex "/app/(?[^/]+)/(?[^?/\s]+)" |stats values(user)
0 Karma
Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

SplunkTrust
SplunkTrust

Hi @splunk969,

try:

index="_internal" sourcetype=splunkd_ui_access | rex "\/app\/(?<app>[^\/]+)\/(?<dashboard>[^?\/\s]+)" | stats values(user) by dashboard

Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Communicator

Dear @ pyro_wood ,

Thanks for answer.

This search that you provided gives wrong results .

0 Karma
Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Influencer

Start from here

index=internal sourcetype=webaccess CLIENTURL=*XabABTBBBBBDashboard* | stats values(USER) by CLIENTURL

0 Karma
Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Communicator

This works for me

index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
| stats count by user 

Can we also get the LastAcess Time stamp there by all users using the report OR Dashboard?

0 Karma
Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Communicator
index=_internal source=*splunkd_ui_access.log uri="app uri" NOT (user="-") 
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| stats values(USER) by access_time ,user

OR

index=_internal source=web_access.log /app/
| rex "(?:[^/\n]*/){5}(?P[^/]+)[^/\n]*/(?P\w+\s+)"    -----> this is for extracting appname and viewname  (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access 
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User

View solution in original post

Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Communicator

Thanks @nadlurinadluri ,

This worked in my case -

 index=_internal source=*splunkd_ui_access.log uri="*" NOT (user="-") 

| eval access_time =strftime(_time,"%b %d, %Y : %H:%M:%S") 
| stats min(access_time) as "Firstaccess" max(access_time) as "lastaccess" by user 
0 Karma
Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Communicator

Glad it worked for you!! Can you accept it if you are satisfied with the answer 🙂

0 Karma
Highlighted

Re: Can you search for users who are using a dashboard between certain dates?

Communicator

Accepted already @nadlurinadluri

0 Karma