Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Dashboard views by user using REST & index=_in...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-23-2015
04:12 PM
I'd like to search dashboard views by user, which is stored in index=_internal. REST allows me to limit results using the isDashboard = 1 parameter. Is there a way to join this REST call to index=_internal so I can see dashboard usage without explicitly having to list or exclude dashboard objects in index=_internal?
index=_internal sourcetype=splunk_web_access
| join title type=inner [rest /servicesNS/-/-/data/ui/views | search isDashboard=1 isVisible=1]
| stats count by app, view, user
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgianola
Explorer
11-25-2015
11:37 AM
Looks like this can be solved using rex:
index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views
| search isDashboard=1 isVisible=1
| stats count by app, view, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jagadeeshm
Contributor
01-30-2018
05:46 AM
I don't think this is working anymore!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
althomas
Communicator
04-12-2018
02:04 AM
No, it looks like all the fields got updated. Here's a version that works for me:
index=_internal sourcetype=splunk_web_access host=<SEARCH HEAD> user=<USER>
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title app
[| rest /servicesNS/-/-/data/ui/views splunk_server=local
| search isDashboard=1 isVisible=1
| rename eai:acl.app as app
| stats count by title app
| fields - count ]
| table _time user title app
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
