Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dashboard views by user using REST & index=_intern...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-23-2015
04:12 PM
I'd like to search dashboard views by user, which is stored in index=_internal. REST allows me to limit results using the isDashboard = 1 parameter. Is there a way to join this REST call to index=_internal so I can see dashboard usage without explicitly having to list or exclude dashboard objects in index=_internal?
index=_internal sourcetype=splunk_web_access
| join title type=inner [rest /servicesNS/-/-/data/ui/views | search isDashboard=1 isVisible=1]
| stats count by app, view, user
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jagadeeshm
Contributor
01-30-2018
05:46 AM
I don't think this is working anymore!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
althomas
Communicator
04-12-2018
02:04 AM
No, it looks like all the fields got updated. Here's a version that works for me:
index=_internal sourcetype=splunk_web_access host=<SEARCH HEAD> user=<USER>
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title app
[| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search isDashboard=1 isVisible=1
| rename eai:acl.app as app
| stats count by title app
| fields - count ]
| table _time user title app
Get Updates on the Splunk Community!
OpenTelemetry for Legacy Apps? Yes, You Can!
This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...
UCC Framework: Discover Developer Toolkit for Building Technology Add-ons
The Next-Gen Toolkit for Splunk Technology Add-on Development
The Universal Configuration Console (UCC) ...
.conf25 Community Recap
Hello Splunkers,
And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...
