Dashboards & Visualizations

One of our users dashboard has disappeared.

Explorer

One of the users recently edited a dashboard to change permissions and since then she cannot see it.

I've tried the following commands

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ OR method=delete ui/views/
| rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table _time user clientip sessionId edit_type file useragent
| rename file as dashboard

On the App, there is nothing on the local folder, only the default dashboard are on the default folder (/splunk/etc/apps/TA-WALLIX_Bastion/default/data/ui/views/)

Is there a local folder containing the dashboards of each user?

Something must've happened to the dashboard (i've only seen an edit action).

Thaks for your help

0 Karma

Esteemed Legend

If it was made private, then it will exist in $SPLUNK_HOME/etc/users/<username>/<appname>/local/<dashname>.xml.
The bottom line, just do this to find it:

find $SPLUNK_HOME/etc -name <dashname>.xml

Explorer

The folders are empty, it must have been erased.

Is there any way I can prove to that user that it was removed? I can't seem to find the log. Is my command above correct?

Best regards

0 Karma

Esteemed Legend

You can check the OS audit logs.

0 Karma