I have a couple dashboards created. Multiple people have access to edit that dashboard. How can I track who has last edited a particular dashboard? Is there any way I can see the editing history of that dashboard?
Following Giuseppe's lead, this table might be what you're looking for:
index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/
| table _time user clientip file useragent
| rename file as dashboard
EDIT: gokaroid's search revealed the 'file' field, removed my rex
FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)
index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/
| rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table _time user clientip sessionId edit_type file useragent
| rename file as dashboard
How to actually use this to see changes?
In case the xml was not edited, as edit can happen via edit panels/ui too, so this might also work:
index=_internal sourcetype=splunkd_ui_access method=post edit ui/views
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table user, useragent, req_time, file, sessionId
| rename file as dashboard req_time as editTime
Nice! Good catch on the UI-based edit 🙂
How do you use this to view history? Want to undo something.
Can we perform these activity as power user. As I tried to search with index=_internal, but unable to get any event. So just wanted to check, what kind of extra permission needed.
You can check what role you have and get the _internal
index search ability assigned to it. Or if admin can edit the power role and assign _internal
index added in roles section. To achieve it go to Settings>>AccessControl>>Role>>yourRole
Go to section which has heading Indexes
and if the role is power
it should have All non-internal indexes
currently. Get the _internal
index added to this list.
Following Giuseppe's lead, this table might be what you're looking for:
index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/
| table _time user clientip file useragent
| rename file as dashboard
EDIT: gokaroid's search revealed the 'file' field, removed my rex
FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)
index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/
| rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table _time user clientip sessionId edit_type file useragent
| rename file as dashboard
Hi twh1,
you should usee
index=_internal editxml
in the field "file" there is the dashboard modified.
Bye.
Giuseppe