Splunk Enterprise Security

How do you make a report of users using 'X' dashboard in Splunk?


Looking for the report of who are using X dashboard in Splunk.
Is there any Query for this?
Thanks in Advance

0 Karma


If you do have access to _internal logs you should be able to the below.... (note that you might need to do some modifications, run the query step by step and do the modifications accordingly)

index=_internal source=web_access.log /app/
| rex "(?:[^/\n]/){5}(?P[^/]+)[^/\n]/(?P\w+\s+)" -----> this is for extracting appname and viewname (please modify this accordingly, not sure why app_name & view_name is not being printed after ?P here)
| search app_name!="search" view_name!="search" app_name!="launcher"
|search sourcetype=splunk_web_access
| eval access_time =strftime(_time,"%Y-%d-%m %H:%M")
| table access_time,user,app_name,view_name
| rename app_name as "Application Name" view_name AS "Dashboard name" user as User
| replace "-" with "No User" in User

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...