Dashboards & Visualizations

How to track the editing history of a dashboard?

twh1
Communicator

I have a couple dashboards created. Multiple people have access to edit that dashboard. How can I track who has last edited a particular dashboard? Is there any way I can see the editing history of that dashboard?

1 Solution

twinspop
Influencer

Following Giuseppe's lead, this table might be what you're looking for:

index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/ 
  | table _time user clientip file useragent
  | rename file as dashboard

EDIT: gokaroid's search revealed the 'file' field, removed my rex

FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
 | rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
 | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
 | table _time user clientip sessionId edit_type file useragent
 | rename file as dashboard

View solution in original post

0 Karma

davidcottrell
New Member

How to actually use this to see changes?

0 Karma

gokadroid
Motivator

In case the xml was not edited, as edit can happen via edit panels/ui too, so this might also work:

index=_internal sourcetype=splunkd_ui_access method=post edit ui/views 
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table user, useragent, req_time, file, sessionId 
| rename file as dashboard req_time as editTime

twinspop
Influencer

Nice! Good catch on the UI-based edit 🙂

davidcottrell
New Member

How do you use this to view history? Want to undo something.

0 Karma

twh1
Communicator

Can we perform these activity as power user. As I tried to search with index=_internal, but unable to get any event. So just wanted to check, what kind of extra permission needed.

0 Karma

gokadroid
Motivator

You can check what role you have and get the _internal index search ability assigned to it. Or if admin can edit the power role and assign _internal index added in roles section. To achieve it go to Settings>>AccessControl>>Role>>yourRole
Go to section which has heading Indexes and if the role is power it should have All non-internal indexes currently. Get the _internal index added to this list.

0 Karma

twinspop
Influencer

Following Giuseppe's lead, this table might be what you're looking for:

index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/ 
  | table _time user clientip file useragent
  | rename file as dashboard

EDIT: gokaroid's search revealed the 'file' field, removed my rex

FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
 | rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
 | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
 | table _time user clientip sessionId edit_type file useragent
 | rename file as dashboard
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi twh1,
you should usee

index=_internal editxml

in the field "file" there is the dashboard modified.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...