Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard views by user using REST & index=_internal

mgianola
Explorer
‎11-23-2015 04:12 PM

I'd like to search dashboard views by user, which is stored in index=_internal. REST allows me to limit results using the isDashboard = 1 parameter. Is there a way to join this REST call to index=_internal so I can see dashboard usage without explicitly having to list or exclude dashboard objects in index=_internal?

index=_internal sourcetype=splunk_web_access
| join title type=inner [rest /servicesNS/-/-/data/ui/views | search isDashboard=1 isVisible=1] 
| stats count by app, view, user
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mgianola
Explorer
‎11-25-2015 11:37 AM

Looks like this can be solved using rex:

index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views 
| search isDashboard=1 isVisible=1
| stats count by app, view, user

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mgianola
Explorer
‎11-25-2015 11:37 AM

Looks like this can be solved using rex:

index=_internal sourcetype=splunk_web_access
| rex field=uri_path ".*/(?<title>[^/]*)$"
| join title [rest /servicesNS/-/-/data/ui/views 
| search isDashboard=1 isVisible=1
| stats count by app, view, user
0 Karma
Reply
Solved! Jump to solution

jagadeeshm
Contributor
‎01-30-2018 05:46 AM

I don't think this is working anymore!

0 Karma
Reply
Solved! Jump to solution

althomas
Communicator
‎04-12-2018 02:04 AM

No, it looks like all the fields got updated. Here's a version that works for me:

index=_internal sourcetype=splunk_web_access host=<SEARCH HEAD> user=<USER> 
| rex field=uri_path ".*/(?<title>[^/]*)$" 
| join title app
    [| rest /servicesNS/-/-/data/ui/views splunk_server=local
    | search isDashboard=1 isVisible=1 
    | rename eai:acl.app as app 
    | stats count by title app 
    | fields - count ]
| table _time user title app
0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...
li.common.scroll-to.top