Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Dashboard views by user using REST & index=_in...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-23-2015
04:12 PM
I'd like to search dashboard views by user, which is stored in index=_internal. REST allows me to limit results using the isDashboard = 1 parameter. Is there a way to join this REST call to index=_internal so I can see dashboard usage without explicitly having to list or exclude dashboard objects in index=_internal?
index=_internal sourcetype=splunk_web_access
| join title type=inner [rest /servicesNS/-/-/data/ui/views | search isDashboard=1 isVisible=1]
| stats count by app, view, user
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jagadeeshm
Contributor
01-30-2018
05:46 AM
I don't think this is working anymore!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
althomas
Communicator
04-12-2018
02:04 AM
No, it looks like all the fields got updated. Here's a version that works for me:
index=_internal sourcetype=splunk_web_access host=<SEARCH HEAD> user=<USER>
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title app
[| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search isDashboard=1 isVisible=1
| rename eai:acl.app as app
| stats count by title app
| fields - count ]
| table _time user title app
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
