Hi Everyone,
I have one requirement. We have over 100 dashboards built for our App. Our team spends a lot of time monitoring the availability and accuracy of these dashboards.
I want to see the list of users who are visiting the dashboards with the count.
I am using the below query:
index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-"
| rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"
| search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk)
| stats count by app dashboard user
EPSF_Infrastructure is my app name.
The issue I am facing is :
I am not getting all the users who are visiting the dashboards.
Do I need to extract the users.
Can someone guide me on this.
how about curl and awk?
How can we get through curl and awk.
I am not sure.
I have used this query but I don't know why its not giving me all the users who have access the dashboard.
index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-"
| rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"
| search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk)
| stats count by app dashboard user
I cant use all this in my project.
Can I get from splunk directly. Can you guide me where my query is wrong.
Why its not giving all the users.
index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-"
| rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"
| search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk)
| stats count by app dashboard user
Are you asking this question to a subcontractor on a job?
Sorry for communication.
I meant to say I want to fetch the results from splunk only.
I am not sure why this query is not working. I checked in logs the user field is already extracted.
So I am not sure I need to extract it again or not.
Can you please guide me.
Maybe we should tally the results by search head.
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself
Isn't there enough host?
Isn't there enough host?
I am not getting this but I am not getting all the users . Its showing some users only.
Not sure why already users field is extracted.
In alerts for splunk admins https://splunkbase.splunk.com/app/3796/ there is a search called SearchHeadLevel - platform_stats access summary
It's a lot more detail than you need but might give you an example to work from
How can I check the number of users from there.
Can you guide me . Actually I need to create the dashboard with the query to get the number of users with their access counts.
So I made this query :
index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-"
| rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"
| search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk)
| stats count by app dashboard user
But not able to get all the users.
I want to which dashboards are accessed the most and which are not accessed at all with the user who are accessing and the counts.
Can you guide me on this.