Solved: Re: How can I create a query to find dashboard usa...

Jewatson17 · ‎02-09-2018

I need a query that will pull the count or percentage of usage of each dashboard in my environment or a query to list the used dashboards.

cmerriman · ‎02-12-2018

index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"

that should get you dashboards usage. follow that by one of the following to list out usage by user/day or percentage overall.

| bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
|top dashboard

View solution in original post

cmerriman · ‎02-12-2018

index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"

that should get you dashboards usage. follow that by one of the following to list out usage by user/day or percentage overall.

| bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
|top dashboard

MuS · ‎05-10-2020

Thanks for this nice search @cmerriman !

For everyone else out there that are wondering why they don't get results after c/p this SPL: remember not everyone uses "en-US/app" as locale 😉

cheers, MuS

cmerriman · ‎05-10-2020

Good point @MuS ! Thanks!

Jewatson17 · ‎02-12-2018

I try to run it and I get No results found
Any reason?

BrettRoberts · ‎09-08-2019

This was perfect for my use case! Thanks so much

cmerriman · ‎02-12-2018

if you run index="_internal" sourcetype=splunkd_ui_access do you get results? try to break the search down bit by bit. this is the search ran on my environment, so it may need a bit of tweaking.

Jewatson17 · ‎02-12-2018

yes this populates results

cmerriman · ‎02-12-2018

when you add | rex field=uri "/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)", do you get fields called app and dashboard that are populated with apps (search, and other apps in your enviro as well as dashboard names)? i'm tweaking this on the fly a little.

Jewatson17 · ‎02-12-2018

I do not get any of those fields populated

cmerriman · ‎02-12-2018

then that's where the problem is. try the rex command without field=uri. | rex "/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" it'll regex from the raw event. see if that works and populates accurate results.

Jewatson17 · ‎02-12-2018

That worked. Thank you. I have results now, but Should the results only be dashboard names or does it populate all views? I only want dashboard names.

cmerriman · ‎02-12-2018

it brings in pages like alerts, dashboards, reports, etc. we use | search dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" in ours to exclude those. you can also add search app=search if you're only looking for the search and reporting dashboards.

Jewatson17 · ‎02-12-2018

thanks a lot!

jayachandrank · ‎05-15-2019

@cmerriman Hi..It works well ask per your comments but i can see it shows others private dashboards usage as well which I don't want because they can be used to test purpose which they will hit many times definitely... I need to check only the dashboards which are shared to all users.. i need to ignore the private dashboards which created by anyone...How to achieve this

gjanders · ‎02-12-2018

The search activity app likely has a view for this but I have not tested it...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Kwip · ‎02-11-2018

You can the Dashboard Monitoring App from Splunk Base for better experience of data.

https://splunkbase.splunk.com/app/3350/

And follow the below post, may be fulfill your need

https://answers.splunk.com/answers/126036/case-how-to-find-the-dashboard-usage-data.html

anywhere99 · ‎02-20-2020

Thanks for the searches!

How can I create a query to find dashboard usage and top used dashboards of all the dashboards in my environment?

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?