We have a group that is required to record when they review their individual dashboard. We are trying to use Splunk to show they logged in and viewed their dashboard. I am having issues figuring out a search to determine when a dashboard was accessed and by whom.
I just need the initial get of the dashboard, not every search that is in the dashboard.
I think this will get you started.
index=_internal source="*/splunkd_ui_access.log" "<myapp>/data/ui/views/<dashboard-name>" | table _time user uri_path
I use this to track the same. (with some exclusion for settings type of dashboards)
index="_internal" source=*access* user!="-" user=* host=sk*s* OR host=sk*u* source="*splunkd_ui_access.log" "en-US/app" | table _time user referer | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="job_management" dashboard!="dbinfo" dashboard!="dbquery" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"
I think this will get you started.
index=_internal source="*/splunkd_ui_access.log" "<myapp>/data/ui/views/<dashboard-name>" | table _time user uri_path