Solved: Re: How do you monitor for when someone creates a ...

amirarsalan · ‎01-07-2019

Hi!

I need some help.

I want to create a dashboard that shows when someone adds a new dashboard in Splunk.

I have a search that only shows when people make changes, but I need it for when someone creates a new dashboard.

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
  | rex field=referer "/(?editx?m?l?)(\?|$)"
  | rex field=other "\s*?\-\s*(?[\S]+)\s*"
  | table _time user clientip sessionId edit_type file useragent
  | rename file as dashboard req_time as editTime

dkeck · ‎01-09-2019

Ok I see.

Please try :

| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()

You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.

View solution in original post

niketn · ‎01-13-2019

@amirarsalan rest API is the key however, you would also need lookup file to compare with a dashboard inventory list. PS: while using rest api make sure you filter out results from specific app/s as per your needs (also other filters if applicable like specific user/specific dashboard naming convention, specific permissions etc)

Step 1: Run the above search once and pipe outputlookup for saving to a lookupfile as available dashboard inventory list lets say dashboards_inventory.csv.

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search isDashboard="1" AND isVisible="1"
| eval Check_Date = now() 
| stats last(Check_Date) as Check_Date by title eai:acl.app author
| outputlookup dashboards_inventory.csv

PS: This query would need to be run only once.

Step 2: Schedule an alert (based on frequency as per your use case, ideally daily once) to run above REST API and compare with available dashboard inventory list. This alert will take required alert action, like send out email or anything else as per your use case.

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search isDashboard="1" AND isVisible="1" NOT title IN 
    (
      [| inputlookup dashboards_inventory.csv 
       | fields title 
       | stats values(title) as title 
       | eval search ="\"".mvjoin(title,"\",\"")."\"" 
       | table search]
    )
| fields title label author eai:acl.app 
| eval Check_Date = now() 
| stats last(Check_Date) as Check_Date by title eai:acl.app author

Step 3: If there is any additional Dashboard trigger the alert and also trigger an append output to lookup Alert action to update existing available dashboard inventory list. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Alert/OutputToCSVLookup
Please try out and confirm if the approach works for you!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

amirarsalan · ‎01-14-2019

Hi!
I have this search| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName

How do i create an alert when someone creates a new dashboard. Can i use this search?

amirarsalan · ‎01-14-2019

Or if i can create a dashbord with that search thats only shows when someone create a new dashboard.

Example the last 7 days

niketn · ‎01-14-2019

@amirarsalan did you try the above approach?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

amirarsalan · ‎01-14-2019

Hi!
Step one is done but the two others i need more information. Idont know how to made them

dkeck · ‎01-09-2019

Ok I see.

Please try :

| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()

You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.

amirarsalan · ‎01-09-2019

I tried it and i got respond this time with a lot of dashboards, then i tired to create a new dashboard but nothing showed up 😞

amirarsalan · ‎01-09-2019

With | where first_seen=now() i don't get any respons

dkeck · ‎01-09-2019

Its normal that you get all dashboards on the fist time you enter the search ( for the search they are all new). Second time there should be no results, except you created a new one in between.

amirarsalan · ‎01-09-2019

Aha then i understand, because i got results first time i run the search and not the second time.
But after that i created i new dashboard but still i did not get any results

dkeck · ‎01-09-2019

in my test box it´s working.

Does the new dashboard show up in the rest call itself?
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"

Please perform the search step by step and try to figure out at which point your new dashboard can´t be found / is it wirtten to the lookup? etc.

amirarsalan · ‎01-09-2019

I can only see my old dashboards

dkeck · ‎01-09-2019

sounds more like a permission issue, the search is working

amirarsalan · ‎01-11-2019

Hi dkeck,

I found another search

| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName

Now i can see my all dashboards also my own.

Can you help me now with that search? I only want to see when some person create a new dashboard. My search shows all our dashboards

dkeck · ‎01-15-2019

HI just append the second part of the search to your new search:

   | rest /servicesNS/-/-/data/ui/views
  | rename eai:acl.app as app
  | eval first_seen=now()
  | table app title first_seen label author
  | inputlookup append=t first_seen_dashboard.csv
  | stats min(first_seen) as first_seen by app title label author
     | outputlookup first_seen_dashboard.csv
     | where first_seen=now()

Your new rest endpoints provides a lot of system dashboards ( from Management Cosole etc.) don´t know if this is what you wanted just be aware of it.

amirarsalan · ‎01-16-2019

Thanks it's works now 🙂

amirarsalan · ‎01-09-2019

I have superadmin, i can see other users dashboard when i use the search and my own dashboards but not the new ones i created

dkeck · ‎01-09-2019

If you add | table title updated after running your search

new search:

| rest /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| table title updated

I can see my newly added dashboards.

amirarsalan · ‎01-09-2019

I tried that, i can only see a punch of dashboard that was newly updated. I only want to see newly dashboard

skalliger · ‎01-08-2019

Take a look into

| rest /services/data/ui/views
| search isDashboard="1"

hope this helps for further SPL. 🙂

Skalli

How do you monitor for when someone creates a new dashboard?

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)