Dashboards & Visualizations

How can I create a query to find dashboard usage and top used dashboards of all the dashboards in my environment?

Jewatson17
Path Finder

I need a query that will pull the count or percentage of usage of each dashboard in my environment or a query to list the used dashboards.

1 Solution

cmerriman
Super Champion
index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" 

that should get you dashboards usage. follow that by one of the following to list out usage by user/day or percentage overall.

| bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
|top dashboard

View solution in original post

cmerriman
Super Champion
index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" 

that should get you dashboards usage. follow that by one of the following to list out usage by user/day or percentage overall.

| bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
|top dashboard

MuS
Legend

Thanks for this nice search @cmerriman !

For everyone else out there that are wondering why they don't get results after c/p this SPL: remember not everyone uses "en-US/app" as locale 😉

cheers, MuS

cmerriman
Super Champion

Good point @MuS ! Thanks!

0 Karma

Jewatson17
Path Finder

I try to run it and I get No results found
Any reason?

0 Karma

BrettRoberts
Explorer

This was perfect for my use case! Thanks so much

0 Karma

cmerriman
Super Champion

if you run index="_internal" sourcetype=splunkd_ui_access do you get results? try to break the search down bit by bit. this is the search ran on my environment, so it may need a bit of tweaking.

0 Karma

Jewatson17
Path Finder

yes this populates results

0 Karma

cmerriman
Super Champion

when you add | rex field=uri "/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)", do you get fields called app and dashboard that are populated with apps (search, and other apps in your enviro as well as dashboard names)? i'm tweaking this on the fly a little.

0 Karma

Jewatson17
Path Finder

I do not get any of those fields populated

0 Karma

cmerriman
Super Champion

then that's where the problem is. try the rex command without field=uri. | rex "/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" it'll regex from the raw event. see if that works and populates accurate results.

0 Karma

Jewatson17
Path Finder

That worked. Thank you. I have results now, but Should the results only be dashboard names or does it populate all views? I only want dashboard names.

0 Karma

cmerriman
Super Champion

it brings in pages like alerts, dashboards, reports, etc. we use | search dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" in ours to exclude those. you can also add search app=search if you're only looking for the search and reporting dashboards.

0 Karma

Jewatson17
Path Finder

thanks a lot!

0 Karma

jayachandrank
Explorer

@cmerriman Hi..It works well ask per your comments but i can see it shows others private dashboards usage as well which I don't want because they can be used to test purpose which they will hit many times definitely... I need to check only the dashboards which are shared to all users.. i need to ignore the private dashboards which created by anyone...How to achieve this

0 Karma

gjanders
SplunkTrust
SplunkTrust
0 Karma

Kwip
Contributor

You can the Dashboard Monitoring App from Splunk Base for better experience of data.

https://splunkbase.splunk.com/app/3350/

And follow the below post, may be fulfill your need

https://answers.splunk.com/answers/126036/case-how-to-find-the-dashboard-usage-data.html

0 Karma

anywhere99
Explorer

Thanks for the searches!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...