Hi,
Try this query:
index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/
| rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table _time user clientip sessionId edit_type file useragent
| rename file as dashboard
