Dashboards & Visualizations

How to get dashboard information on users who ran it and time it ran

rosh_dsa
New Member

How do I get dashboard info, like title of dashboard, uri_path, search (query) on the tiles, user who ran it and last time it ran ?
I am new to Splunk.
I am looking at using:

index=_internal sourcetype=splunkd_ui_access uri="/en-US/app/*/*"

Any directions much appreciated.

0 Karma
1 Solution

arjunpkishore5
Motivator

This will give you the dashboard definition

| rest /servicesNS/-/-/data/ui/views 

And this will give you dashboard usage metrics

index=_internal sourcetype=splunkd_ui_access 
    [| rest /servicesNS/-/-/data/ui/views 
    | rename eai:acl.app as app 
    | search NOT app=system 
    | strcat "GET*/app/" app "/" title dashboard 
    | table dashboard 
    | rename dashboard as search 
    | format] 
| rex field=other "\s(?<response_time_ms>\d+)ms" 
| rex field=uri_path "\/app\/(?<app>[^\/]+)\/(?<dashboard>\S+)" 
| table _time, host, user, app, dashboard, response_time_ms 

Hope this helps.

Please upvote and mark as answer if this is what you were looking for.

Regards
Arjun

View solution in original post

arjunpkishore5
Motivator

This will give you the dashboard definition

| rest /servicesNS/-/-/data/ui/views 

And this will give you dashboard usage metrics

index=_internal sourcetype=splunkd_ui_access 
    [| rest /servicesNS/-/-/data/ui/views 
    | rename eai:acl.app as app 
    | search NOT app=system 
    | strcat "GET*/app/" app "/" title dashboard 
    | table dashboard 
    | rename dashboard as search 
    | format] 
| rex field=other "\s(?<response_time_ms>\d+)ms" 
| rex field=uri_path "\/app\/(?<app>[^\/]+)\/(?<dashboard>\S+)" 
| table _time, host, user, app, dashboard, response_time_ms 

Hope this helps.

Please upvote and mark as answer if this is what you were looking for.

Regards
Arjun

niketn
Legend

@rosh_dsa refer to the answer by @cmerriman if you are looking to create your own query for Splunk Dashboard Usage: https://answers.splunk.com/answers/617051/how-can-i-create-a-query-to-find-dashboard-usage-a.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aberkow
Builder

If you have access to your monitoring console https://docs.splunk.com/Documentation/Splunk/7.3.2/DMC/DMCoverview (under Settings -> Monitoring Console [lower left panel]) and can drill down into the Search dropdown (Search -> Search Activity: Instance) there are a number of searches that are pre-written that give information on who ran what searches when. This has the "Provenance" field, which can be a dashboard, and the search looks like it uses the _introspection index.

I would suggest starting here as this will likely offer you more information than anything a single answer here can provide, I use the console a ton and have learned a lot about our deployment and usage from it.

Hope this helps!

0 Karma

rosh_dsa
New Member

Thank you, I'll check on this, as long as I can pull a query from it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...