Dashboards & Visualizations
Highlighted

Ever wonder which dashboards are being used and what users are using them?

Communicator

The dashboard below should help answer that question for you.

The User dropdown uses a |rest search to get a list of LDAP users so if you don't have access to run | rest or aren't using LDAP then that dropdown won't populate but the dashboard will still work fine you just won't be able to look at all dashboard usage for a single user.

You can drilldown on any dashboard that shows in the chart to see the specific users that are using the dashboard per day. To go back to the main chart select the "Reset Drilldown" button.

NOTE - You will need the tokenlinks.js available for the reset button to work. I got it from the 6.x Dashboard Examples App.

 <form script="tokenlinks.js">
    <label>Dashboard Usage</label>
    <fieldset submitButton="true">
      <input type="time" token="field1">
        <label>Max is 30 days back</label>
        <default>
          <earliest>-3d@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="multiselect" token="user">
        <label>User</label>
        <choice value="*">All Users</choice>
        <search>
          <query>|rest /services/authentication/users splunk_server=local 
   |fields title type realname|rename title as userName|rename realname as Name | search type=LDAP | eval display=userName+" - "+Name | fields userName display</query>
        </search>
        <fieldForLabel>display</fieldForLabel>
        <fieldForValue>userName</fieldForValue>
        <default>*</default>
        <prefix>user=</prefix>
        <delimiter> OR user=</delimiter>
      </input>
    </fieldset>
    <search id="baseDashboardUse">
        <query>index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" | bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time  </query>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>
     </search>
    <row>
      <panel depends="$field1.earliest$" rejects="$dashboard$">
        <title>Distinct count of users that visited each dashboard per day - (Top 25)</title>
        <chart>
          <title>Select a dashboard to see more info about it</title>
          <search base="baseDashboardUse">
            <query>search $user$ | timechart span=1d limit=25 useother=f count by dashboard</query>           
          </search>
          <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
          <option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
          <option name="charting.axisTitleX.visibility">collapsed</option>
          <option name="charting.axisTitleY.visibility">visible</option>
          <option name="charting.axisTitleY2.visibility">visible</option>
          <option name="charting.axisX.scale">linear</option>
          <option name="charting.axisY.scale">linear</option>
          <option name="charting.axisY2.enabled">0</option>
          <option name="charting.axisY2.scale">inherit</option>
          <option name="charting.chart">column</option>
          <option name="charting.chart.bubbleMaximumSize">50</option>
          <option name="charting.chart.bubbleMinimumSize">10</option>
          <option name="charting.chart.bubbleSizeBy">area</option>
          <option name="charting.chart.nullValueMode">gaps</option>
          <option name="charting.chart.showDataLabels">none</option>
          <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
          <option name="charting.chart.stackMode">stacked</option>
          <option name="charting.chart.style">shiny</option>
          <option name="charting.drilldown">all</option>
          <drilldown>
            <set token="dashboard">$click.name2$</set>
          </drilldown>
          <option name="charting.layout.splitSeries">0</option>
          <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
          <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
          <option name="charting.legend.placement">right</option>
          <option name="height">800</option>
        </chart>
      </panel>
    </row>
    <row>
      <panel depends="$dashboard$">
        <title>Distinct count of users that visited each dashboard per day</title>
        <chart>
          <search base="baseDashboardUse">
            <query>search dashboard=$dashboard$ | timechart span=1d limit=25 useother=f count by dashboard</query>           
          </search>
          <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
          <option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
          <option name="charting.axisTitleX.visibility">collapsed</option>
          <option name="charting.axisTitleY.visibility">visible</option>
          <option name="charting.axisTitleY2.visibility">visible</option>
          <option name="charting.axisX.scale">linear</option>
          <option name="charting.axisY.scale">linear</option>
          <option name="charting.axisY2.enabled">0</option>
          <option name="charting.axisY2.scale">inherit</option>
          <option name="charting.chart">column</option>
          <option name="charting.chart.bubbleMaximumSize">50</option>
          <option name="charting.chart.bubbleMinimumSize">10</option>
          <option name="charting.chart.bubbleSizeBy">area</option>
          <option name="charting.chart.nullValueMode">gaps</option>
          <option name="charting.chart.showDataLabels">none</option>
          <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
          <option name="charting.chart.stackMode">stacked</option>
          <option name="charting.chart.style">shiny</option>
          <option name="charting.drilldown">none</option>
          <option name="charting.layout.splitSeries">0</option>
          <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
          <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
          <option name="charting.legend.placement">bottom</option>
          <option name="height">400</option>
        </chart>
      </panel>
    </row>
    <row>
      <panel>
        <title>Distinct users that visited $dashboard$</title>
        <html depends="$dashboard$">
           <button class="btn" data-unset-token="dashboard">Reset Drilldown</button>
        </html>
        <table depends="$dashboard$">
         <search base="baseDashboardUse">
            <query>search dashboard=$dashboard$ | stats values(user) as "Unique Users" by _time</query>           
         </search>
          <option name="wrap">true</option>
          <option name="rowNumbers">false</option>
          <option name="dataOverlayMode">none</option>
          <option name="drilldown">cell</option>
          <option name="count">10</option>
        </table>
      </panel>
    </row>
  </form>

alt text
alt text

Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Communicator

If this helped you upvote this to show that it would be nice to have more dashboards like this out of the box for admins to see what users are doing. If you used this and made any enhancements/changes please comment below so all of us can benefit from them.

Thanks!

View solution in original post

Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Explorer

This is very useful. However, to make it work on a Windows install I had to change:

source="/opt/splunk/var/log/splunk/splunkduiaccess.log"

to

source="*splunkduiaccess.log"

Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

SplunkTrust
SplunkTrust

This is good. Here are my changes:-

1) Replace all source references using splunkduiacc.log references to just "sourcetype=splunkd_ui_access", as it'll always work regardless of OS, install directory etc. changes.
2) Remove app=search filter as there can be dashboard in different app
3) Used post-process for performance improvement.

0 Karma
Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Communicator

Somesoni2 I have changed the source= to your recommended sourcetype= instead. Thanks for the suggestion.

Do you mind posting your post-processed xml? I can edit the original as well with those changes to help future users of this.

0 Karma
Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Communicator

Dumb question, but where do I add tokenlinks.js? If I add it to appserver/static, I still don't see a reset button.
Edit: leaving this up here because I'm impatient. It does show up.

0 Karma
Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Motivator

Odd, I see the dropdowns but I get Search returned no results..... We aren't using LDAP and I'm admin. I did a straight copy/paste.

0 Karma
Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

SplunkTrust
SplunkTrust

If you're not using LDAP authentication then update the multiselect query to change | search type=LDAP with | search type=Splunk

0 Karma
Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Motivator

will give that a try.... I hacked at the first query and came up with this

index="_internal"  sourcetype=splunkd_ui_access   |rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" `|search app="search" dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" |`bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time  | timechart span=1d limit=25 useother=f count by dashboard

but it fails at the section below

 |search app="search" dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" |
0 Karma
Highlighted

Re: Ever wonder which dashboards are being used and what users are using them?

Motivator

using | search type=Splunk got the users to populate, thanks! Dashboard is still returning zero results when ALL users is selected. If I select a single user (me) I get the same blank dashboard result.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.