Solved: Locate when user(s) accessed dasboard

ralphw_SAIC · ‎03-25-2016

We have a group that is required to record when they review their individual dashboard. We are trying to use Splunk to show they logged in and viewed their dashboard. I am having issues figuring out a search to determine when a dashboard was accessed and by whom.

I just need the initial get of the dashboard, not every search that is in the dashboard.

richgalloway · ‎03-25-2016

I think this will get you started.

index=_internal source="*/splunkd_ui_access.log" "<myapp>/data/ui/views/<dashboard-name>" | table _time user uri_path

---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2 · ‎03-25-2016

I use this to track the same. (with some exclusion for settings type of dashboards)

index="_internal" source=*access* user!="-" user=* host=sk*s* OR host=sk*u* source="*splunkd_ui_access.log" "en-US/app"  | table _time user referer | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="job_management" dashboard!="dbinfo" dashboard!="dbquery" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"

richgalloway · ‎03-25-2016

I think this will get you started.

index=_internal source="*/splunkd_ui_access.log" "<myapp>/data/ui/views/<dashboard-name>" | table _time user uri_path

---
If this reply helps you, Karma would be appreciated.

Locate when user(s) accessed dasboard

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes