Dashboards & Visualizations

How to track the editing history of a dashboard?

twh1
Communicator

I have a couple dashboards created. Multiple people have access to edit that dashboard. How can I track who has last edited a particular dashboard? Is there any way I can see the editing history of that dashboard?

1 Solution

twinspop
Influencer

Following Giuseppe's lead, this table might be what you're looking for:

index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/ 
  | table _time user clientip file useragent
  | rename file as dashboard

EDIT: gokaroid's search revealed the 'file' field, removed my rex

FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
 | rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
 | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
 | table _time user clientip sessionId edit_type file useragent
 | rename file as dashboard

View solution in original post

0 Karma

davidcottrell
New Member

How to actually use this to see changes?

0 Karma

gokadroid
Motivator

In case the xml was not edited, as edit can happen via edit panels/ui too, so this might also work:

index=_internal sourcetype=splunkd_ui_access method=post edit ui/views 
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table user, useragent, req_time, file, sessionId 
| rename file as dashboard req_time as editTime

twinspop
Influencer

Nice! Good catch on the UI-based edit 🙂

davidcottrell
New Member

How do you use this to view history? Want to undo something.

0 Karma

twh1
Communicator

Can we perform these activity as power user. As I tried to search with index=_internal, but unable to get any event. So just wanted to check, what kind of extra permission needed.

0 Karma

gokadroid
Motivator

You can check what role you have and get the _internal index search ability assigned to it. Or if admin can edit the power role and assign _internal index added in roles section. To achieve it go to Settings>>AccessControl>>Role>>yourRole
Go to section which has heading Indexes and if the role is power it should have All non-internal indexes currently. Get the _internal index added to this list.

0 Karma

twinspop
Influencer

Following Giuseppe's lead, this table might be what you're looking for:

index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/ 
  | table _time user clientip file useragent
  | rename file as dashboard

EDIT: gokaroid's search revealed the 'file' field, removed my rex

FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
 | rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
 | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
 | table _time user clientip sessionId edit_type file useragent
 | rename file as dashboard
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi twh1,
you should usee

index=_internal editxml

in the field "file" there is the dashboard modified.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...