Hi!
I need some help.
I want to create a dashboard that shows when someone adds a new dashboard in Splunk.
I have a search that only shows when people make changes, but I need it for when someone creates a new dashboard.
index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/
| rex field=referer "/(?editx?m?l?)(\?|$)"
| rex field=other "\s*?\-\s*(?[\S]+)\s*"
| table _time user clientip sessionId edit_type file useragent
| rename file as dashboard req_time as editTime
Ok I see.
Please try :
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()
You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.
@amirarsalan rest API is the key however, you would also need lookup file to compare with a dashboard inventory list. PS: while using rest api make sure you filter out results from specific app/s as per your needs (also other filters if applicable like specific user/specific dashboard naming convention, specific permissions etc)
Step 1: Run the above search once and pipe outputlookup for saving to a lookupfile as available dashboard inventory list
lets say dashboards_inventory.csv
.
| rest splunk_server="local" "/servicesNS/-/-/data/ui/views"
| search isDashboard="1" AND isVisible="1"
| eval Check_Date = now()
| stats last(Check_Date) as Check_Date by title eai:acl.app author
| outputlookup dashboards_inventory.csv
PS: This query would need to be run only once.
Step 2: Schedule an alert (based on frequency as per your use case, ideally daily once) to run above REST API and compare with available dashboard inventory list. This alert will take required alert action, like send out email or anything else as per your use case.
| rest splunk_server="local" "/servicesNS/-/-/data/ui/views"
| search isDashboard="1" AND isVisible="1" NOT title IN
(
[| inputlookup dashboards_inventory.csv
| fields title
| stats values(title) as title
| eval search ="\"".mvjoin(title,"\",\"")."\""
| table search]
)
| fields title label author eai:acl.app
| eval Check_Date = now()
| stats last(Check_Date) as Check_Date by title eai:acl.app author
Step 3: If there is any additional Dashboard trigger the alert and also trigger an append output to lookup Alert action
to update existing available dashboard inventory list. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Alert/OutputToCSVLookup
Please try out and confirm if the approach works for you!
Hi!
I have this search| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName
How do i create an alert when someone creates a new dashboard. Can i use this search?
Or if i can create a dashbord with that search thats only shows when someone create a new dashboard.
Example the last 7 days
@amirarsalan did you try the above approach?
Hi!
Step one is done but the two others i need more information. Idont know how to made them
Ok I see.
Please try :
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()
You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.
I tried it and i got respond this time with a lot of dashboards, then i tired to create a new dashboard but nothing showed up 😞
I forgot to say, I only get respons on the search when i put
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
With | where first_seen=now() i don't get any respons
Its normal that you get all dashboards on the fist time you enter the search ( for the search they are all new). Second time there should be no results, except you created a new one in between.
Aha then i understand, because i got results first time i run the search and not the second time.
But after that i created i new dashboard but still i did not get any results
in my test box it´s working.
Does the new dashboard show up in the rest call itself?
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
Please perform the search step by step and try to figure out at which point your new dashboard can´t be found / is it wirtten to the lookup? etc.
I can only see my old dashboards
sounds more like a permission issue, the search is working
Hi dkeck,
I found another search
| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName
Now i can see my all dashboards also my own.
Can you help me now with that search? I only want to see when some person create a new dashboard. My search shows all our dashboards
HI just append the second part of the search to your new search:
| rest /servicesNS/-/-/data/ui/views
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen label author
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title label author
| outputlookup first_seen_dashboard.csv
| where first_seen=now()
Your new rest endpoints provides a lot of system dashboards ( from Management Cosole etc.) don´t know if this is what you wanted just be aware of it.
Thanks it's works now 🙂
I have superadmin, i can see other users dashboard when i use the search and my own dashboards but not the new ones i created
If you add | table title updated
after running your search
new search:
| rest /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| table title updated
I can see my newly added dashboards.
I tried that, i can only see a punch of dashboard that was newly updated. I only want to see newly dashboard
Take a look into
| rest /services/data/ui/views
| search isDashboard="1"
hope this helps for further SPL. 🙂
Skalli