Dashboards & Visualizations

How do you monitor for when someone creates a new dashboard?

amirarsalan
Explorer

Hi!

I need some help.

I want to create a dashboard that shows when someone adds a new dashboard in Splunk.

I have a search that only shows when people make changes, but I need it for when someone creates a new dashboard.

index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ 
  | rex field=referer "/(?editx?m?l?)(\?|$)"
  | rex field=other "\s*?\-\s*(?[\S]+)\s*"
  | table _time user clientip sessionId edit_type file useragent
  | rename file as dashboard req_time as editTime
0 Karma
1 Solution

dkeck
Influencer

Ok I see.

Please try :

| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()

You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.

View solution in original post

0 Karma

niketn
Legend

@amirarsalan rest API is the key however, you would also need lookup file to compare with a dashboard inventory list. PS: while using rest api make sure you filter out results from specific app/s as per your needs (also other filters if applicable like specific user/specific dashboard naming convention, specific permissions etc)

Step 1: Run the above search once and pipe outputlookup for saving to a lookupfile as available dashboard inventory list lets say dashboards_inventory.csv.

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search isDashboard="1" AND isVisible="1"
| eval Check_Date = now() 
| stats last(Check_Date) as Check_Date by title eai:acl.app author
| outputlookup dashboards_inventory.csv 

PS: This query would need to be run only once.

Step 2: Schedule an alert (based on frequency as per your use case, ideally daily once) to run above REST API and compare with available dashboard inventory list. This alert will take required alert action, like send out email or anything else as per your use case.

| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" 
| search isDashboard="1" AND isVisible="1" NOT title IN 
    (
      [| inputlookup dashboards_inventory.csv 
       | fields title 
       | stats values(title) as title 
       | eval search ="\"".mvjoin(title,"\",\"")."\"" 
       | table search]
    )
| fields title label author eai:acl.app 
| eval Check_Date = now() 
| stats last(Check_Date) as Check_Date by title eai:acl.app author

Step 3: If there is any additional Dashboard trigger the alert and also trigger an append output to lookup Alert action to update existing available dashboard inventory list. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Alert/OutputToCSVLookup
Please try out and confirm if the approach works for you!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

amirarsalan
Explorer

Hi!
I have this search| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName

How do i create an alert when someone creates a new dashboard. Can i use this search?

0 Karma

amirarsalan
Explorer

Or if i can create a dashbord with that search thats only shows when someone create a new dashboard.

Example the last 7 days

0 Karma

niketn
Legend

@amirarsalan did you try the above approach?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

amirarsalan
Explorer

Hi!
Step one is done but the two others i need more information. Idont know how to made them

0 Karma

dkeck
Influencer

Ok I see.

Please try :

| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv
| where first_seen=now()

You can set up an alert with this search OR leave out the last where and set up a new search to search the lookup for dashboards you haven´t seen in the last week e.g.

0 Karma

amirarsalan
Explorer

I tried it and i got respond this time with a lot of dashboards, then i tired to create a new dashboard but nothing showed up 😞

0 Karma

amirarsalan
Explorer

I forgot to say, I only get respons on the search when i put

| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| rename eai:acl.app as app
| eval first_seen=now()
| table app title first_seen
| inputlookup append=t first_seen_dashboard.csv
| stats min(first_seen) as first_seen by app title
| outputlookup first_seen_dashboard.csv

With | where first_seen=now() i don't get any respons

0 Karma

dkeck
Influencer

Its normal that you get all dashboards on the fist time you enter the search ( for the search they are all new). Second time there should be no results, except you created a new one in between.

0 Karma

amirarsalan
Explorer

Aha then i understand, because i got results first time i run the search and not the second time.
But after that i created i new dashboard but still i did not get any results

0 Karma

dkeck
Influencer

in my test box it´s working.

Does the new dashboard show up in the rest call itself?
| rest splunk_server=local /services/data/ui/views
| where isDashboard="1" AND isVisible="1"

Please perform the search step by step and try to figure out at which point your new dashboard can´t be found / is it wirtten to the lookup? etc.

0 Karma

amirarsalan
Explorer

I can only see my old dashboards

0 Karma

dkeck
Influencer

sounds more like a permission issue, the search is working

0 Karma

amirarsalan
Explorer

Hi dkeck,

I found another search

| rest /servicesNS/-/-/data/ui/views | table author title eai:acl.app label | eval Type="Dashboards" | rename author as Owner title as Name eai:acl.app as AppName

Now i can see my all dashboards also my own.

Can you help me now with that search? I only want to see when some person create a new dashboard. My search shows all our dashboards

0 Karma

dkeck
Influencer

HI just append the second part of the search to your new search:

   | rest /servicesNS/-/-/data/ui/views
  | rename eai:acl.app as app
  | eval first_seen=now()
  | table app title first_seen label author
  | inputlookup append=t first_seen_dashboard.csv
  | stats min(first_seen) as first_seen by app title label author
     | outputlookup first_seen_dashboard.csv
     | where first_seen=now()

Your new rest endpoints provides a lot of system dashboards ( from Management Cosole etc.) don´t know if this is what you wanted just be aware of it.

0 Karma

amirarsalan
Explorer

Thanks it's works now 🙂

0 Karma

amirarsalan
Explorer

I have superadmin, i can see other users dashboard when i use the search and my own dashboards but not the new ones i created

0 Karma

dkeck
Influencer

If you add | table title updated after running your search

new search:

| rest /services/data/ui/views
| where isDashboard="1" AND isVisible="1"
| table title updated

I can see my newly added dashboards.

0 Karma

amirarsalan
Explorer

I tried that, i can only see a punch of dashboard that was newly updated. I only want to see newly dashboard

0 Karma

skalliger
Motivator

Take a look into

| rest /services/data/ui/views
| search isDashboard="1"

hope this helps for further SPL. 🙂

Skalli

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...