Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dashboard views by user using REST & index=_intern...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-23-2015
04:12 PM
I'd like to search dashboard views by user, which is stored in index=_internal. REST allows me to limit results using the isDashboard = 1 parameter. Is there a way to join this REST call to index=_internal so I can see dashboard usage without explicitly having to list or exclude dashboard objects in index=_internal?
index=_internal sourcetype=splunk_web_access
| join title type=inner [rest /servicesNS/-/-/data/ui/views | search isDashboard=1 isVisible=1]
| stats count by app, view, user
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jagadeeshm
Contributor
01-30-2018
05:46 AM
I don't think this is working anymore!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
althomas
Communicator
04-12-2018
02:04 AM
No, it looks like all the fields got updated. Here's a version that works for me:
index=_internal sourcetype=splunk_web_access host=<SEARCH HEAD> user=<USER>
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title app
[| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search isDashboard=1 isVisible=1
| rename eai:acl.app as app
| stats count by title app
| fields - count ]
| table _time user title app
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
