Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to check the number of users who visited the D...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
I have one requirement. We have over 100 dashboards built for our App. Our team spends a lot of time monitoring the availability and accuracy of these dashboards.
I want to see the list of users who are visiting the dashboards with the count.
I am using the below query:
index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-"
| rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"
| search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk)
| stats count by app dashboard user
The issue I am facing is :
I am not getting all the users who are visiting the dashboards.
Can someone guide me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just because the log entry has EPSF_Infrastructure in it somewhere doesn't mean that the user is accessing a dashboard. I suspect your stats are correct, just not what you were expecting. Unless you can find a log entry that is from a dashboard visit that doesn't appear in your counts, I think your queries are OK. Probably the first one is best as it is reasonably straight forward.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you know you are not getting all the users? Are there records in the internal index which are being removed by the query that shouldn't be? What do these records look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried with the below queries:
1st Query
index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-"
| rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"
| search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk)
| stats count by app dashboard user
2nd Query
index="_internal" user!="-" sourcetype=splunkd_ui_access | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"|search app=EPSF_Infrastructure| stats count by app dashboard user
3rd Query
index="_internal" user!="-" sourcetype=splunkd_ui_access
| rex field=uri_path "\/app\/(?<app>[^\/]+)\/(?<dashboard>\S+)"
| search dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"
| stats values(user) AS user count AS hits BY app dashboard
| join type=left dashboard
[ | rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1 disabled=0
| table title eai:appName eai:acl.sharing
| rename title AS dashboard eai:appName AS app eai:acl.sharing AS appSharing]| where app = "EPSF_Infrastructure"
| table app dashboard user hits
| sort 0 app
EPSF_Infrastructure is my app name.
I have attached the screenshot . I am able to see 74 users for last 7 days. But why I am not getting all the users. Am I fetching app and dashboard with a wrong Regex.
Can you please guide me .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is hard to know if the rex is right since you haven't provided any examples from your logs to show matches and non-matches
Which users are you not getting? Are they missing from particular dashboards? Do you have any examples of log messages which you think are not being counted?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With all the 3 queries I am getting only 2-3 users data like for kmath19, nmago .
I can see that for the app "EPSF_Infrastructure" I can able to see 116 users.
Logs for kmath19 (The user whose name is dispalying)
10.18.24.6 - kmath19 [04/Jan/2021:12:30:05.523 -0700] "GET /en-US/splunkd/__raw/servicesNS/kmath19/EPSF_Infrastructure/saved/searches/_new?output_mode=json&_=1609787311901 HTTP/1.1" 200 7469 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" - 6d688f4e51ac535edce08553bb42606e 7ms
Logs for user "gtirunel" whose name is not displaying
01-04-2021 12:32:21.376 -0700 INFO SavedSplunker - savedsearch_id="gtirunel;EPSF_Infrastructure;Salesforce_User_Licenses_Embed02", search_type="", user="gtirunel", app="EPSF_Infrastructure", savedsearch_name="Salesforce_User_Licenses_Embed02", priority=default, status=success, digest_mode=1, scheduled_time=1609788720, window_time=0, dispatch_time=1609788735, run_time=4.771, result_count=14, alert_actions="", sid="scheduler__gtirunel_RVBTRl9JbmZyYXN0cnVjdHVyZQ__RMD5b4606a84d22c108d_at_1609788720_44851_11E2866B-AB2E-4342-8D51-4948AA7A5661", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""
Logs for user "mbass4" whose name is not displaying
01-04-2021 12:15:43.447 -0700 INFO SavedSplunker - savedsearch_id="mbass4;EPSF_Infrastructure;E3 Nifi Error _hourly", search_type="", user="mbass4", app="EPSF_Infrastructure", savedsearch_name="E3 Nifi Error _hourly", priority=default, status=success, digest_mode=0, scheduled_time=1609787700, window_time=0, dispatch_time=1609787740, run_time=1.945, result_count=0, alert_actions="", sid="scheduler__mbass4_RVBTRl9JbmZyYXN0cnVjdHVyZQ__RMD5740ca27eefa610d1_at_1609787700_44339_EEF36579-5AEC-40AC-A871-292FF322AD2D", suppressed=0, fired=0, skipped=0, action_time_ms=1, thread_id="AlertNotifierWorker-0", message="", workload_pool=""
I am not sure why I am not getting all the users.
I have attached the screenshots for the total users .
Can you guide me why I am just getting 1-2 users like kmath19 and not other users through all the three queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just because the log entry has EPSF_Infrastructure in it somewhere doesn't mean that the user is accessing a dashboard. I suspect your stats are correct, just not what you were expecting. Unless you can find a log entry that is from a dashboard visit that doesn't appear in your counts, I think your queries are OK. Probably the first one is best as it is reasonably straight forward.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here the EPSF_Infrastructure is the dashboard name?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The second and third logs do not appear to be from the same source type as the first. How did you get these logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
Can anyone please guide me on above issue.
Splunk Observability as Code: From Zero to Dashboard
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Shape the Future of Splunk: Join the Product Research Lab!
