Hi All, I have used below query to check the usage of the dashboards. But I am not able to get all the users. Can someone guide me on that.
index=_internal sourcetype=splunkd_ui_access Infrastructure NOT splunkd user!="-" | rex field=uri "^/[^/]+/app/(?[^/]+)/(?[^?/\s]+)" | search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk) | stats count by app dashboard user
Not sure what the infrastructure part is doing in your search but this works for me
index=_internal sourcetype=splunkd_ui_access NOT splunkd user!="-" | rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk) | stats count by app dashboard user
How do you know some users are missing? Is there something different about the events for these users?
Not sure what the infrastructure part is doing in your search but this works for me
index=_internal sourcetype=splunkd_ui_access NOT splunkd user!="-" | rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk) | stats count by app dashboard user
How do you know some users are missing? Is there something different about the events for these users?
Infrastructure is my app name where dashboards are there . Also there are some users which visits the dashboards but whose name are not there.
Are the same users always missing? Are the events completely missing or just the user being set to "-"?
Users are missing. I am not getting the name of all the users.