All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

See User Activity by App and View

tnesavich_splun
Splunk Employee
Splunk Employee
‎06-04-2019 03:24 PM

Please see accepted answer below for search that shows what apps and views (dashboards in those apps) users are going to, by user app and view.

Please let me know if this is helpful or improvements you would suggest.

Thanks!

Tags (1)
Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

tnesavich_splun
Splunk Employee
Splunk Employee
‎06-05-2019 07:36 AM

Accepted Solution

   index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
    | stats count latest(_time) as ViewTime by user app view
    | sort -count
    | eventstats sum(count) as countByApp list(view) as view list(count) as count list(ViewTime) as ViewTime by user app
    | convert timeformat="%a %m/%d/%Y %I:%M:%S %p" ctime(ViewTime)
    | dedup app
    | appendpipe [stats sum(count) as count by user | eval view = "Total Views"]
    | sort + user -countByApp

One suggestion is to play with the table format to highlight the total views by user as per the screenshot below:
alt text

Here is an example of what your results might look like:
alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

tnesavich_splun
Splunk Employee
Splunk Employee
‎06-05-2019 07:36 AM

Accepted Solution

   index=_internal sourcetype="splunk_web_access" method="GET" status="200" user!=-
    | stats count latest(_time) as ViewTime by user app view
    | sort -count
    | eventstats sum(count) as countByApp list(view) as view list(count) as count list(ViewTime) as ViewTime by user app
    | convert timeformat="%a %m/%d/%Y %I:%M:%S %p" ctime(ViewTime)
    | dedup app
    | appendpipe [stats sum(count) as count by user | eval view = "Total Views"]
    | sort + user -countByApp

One suggestion is to play with the table format to highlight the total views by user as per the screenshot below:
alt text

Here is an example of what your results might look like:
alt text

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-05-2019 07:04 AM

Hi @tnesavich_splunk,
Please look for Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) to check the complete example of how to highlight some cell in the table with JS.

Hope this helps!!!

0 Karma
Reply
Solved! Jump to solution

alonsocaio
Contributor
‎06-05-2019 04:23 AM

Hi,

This is a very interesting query actually. A while ago I was looking exactly for something like that.

My suggestion would be to use

| dedup app, user

Instead of

| dedup app

This would allow you to see if more than one user accessed the same app. Like, If user A and user B accessed the search app in the last hour and you dedup by app, you will see just one user in your table. When you dedup by app and user you see both users listed, even if they used the same app.

Reply
Solved! Jump to solution

Smrtz
Engager
3 weeks ago

Confirming this still works as of Splunk Cloud v9.0.2

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...