Solved: How can I create a query to find dashboard usage a...

Jewatson17 · ‎02-09-2018

I need a query that will pull the count or percentage of usage of each dashboard in my environment or a query to list the used dashboards.

cmerriman · ‎02-12-2018

index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"

that should get you dashboards usage. follow that by one of the following to list out usage by user/day or percentage overall.

| bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
|top dashboard

View solution in original post

cmerriman · ‎02-12-2018

index="_internal" user!="-"  sourcetype=splunkd_ui_access "en-US/app"  | rex field=uri "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search  dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"

that should get you dashboards usage. follow that by one of the following to list out usage by user/day or percentage overall.

| bucket _time span=1d | stats dc(dashboard) as c by dashboard user _time
|top dashboard

MuS · ‎05-10-2020

Thanks for this nice search @cmerriman !

For everyone else out there that are wondering why they don't get results after c/p this SPL: remember not everyone uses "en-US/app" as locale 😉

cheers, MuS

cmerriman · ‎05-10-2020

Good point @MuS ! Thanks!

Jewatson17 · ‎02-12-2018

I try to run it and I get No results found
Any reason?

BrettRoberts · ‎09-08-2019

This was perfect for my use case! Thanks so much

cmerriman · ‎02-12-2018

if you run index="_internal" sourcetype=splunkd_ui_access do you get results? try to break the search down bit by bit. this is the search ran on my environment, so it may need a bit of tweaking.

Jewatson17 · ‎02-12-2018

yes this populates results

cmerriman · ‎02-12-2018

when you add | rex field=uri "/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)", do you get fields called app and dashboard that are populated with apps (search, and other apps in your enviro as well as dashboard names)? i'm tweaking this on the fly a little.

Jewatson17 · ‎02-12-2018

I do not get any of those fields populated

cmerriman · ‎02-12-2018

then that's where the problem is. try the rex command without field=uri. | rex "/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" it'll regex from the raw event. see if that works and populates accurate results.

Jewatson17 · ‎02-12-2018

That worked. Thank you. I have results now, but Should the results only be dashboard names or does it populate all views? I only want dashboard names.

cmerriman · ‎02-12-2018

it brings in pages like alerts, dashboards, reports, etc. we use | search dashboard!="search" dashboard!="home" dashboard!="alert" dashboard!="lookup_edit" dashboard!="@go" dashboard!="data_lab" dashboard!="dataset" dashboard!="datasets" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report" in ours to exclude those. you can also add search app=search if you're only looking for the search and reporting dashboards.

Jewatson17 · ‎02-12-2018

thanks a lot!

jayachandrank · ‎05-15-2019

@cmerriman Hi..It works well ask per your comments but i can see it shows others private dashboards usage as well which I don't want because they can be used to test purpose which they will hit many times definitely... I need to check only the dashboards which are shared to all users.. i need to ignore the private dashboards which created by anyone...How to achieve this

gjanders · ‎02-12-2018

The search activity app likely has a view for this but I have not tested it...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Kwip · ‎02-11-2018

You can the Dashboard Monitoring App from Splunk Base for better experience of data.

https://splunkbase.splunk.com/app/3350/

And follow the below post, may be fulfill your need

https://answers.splunk.com/answers/126036/case-how-to-find-the-dashboard-usage-data.html

anywhere99 · ‎02-20-2020

Thanks for the searches!

How can I create a query to find dashboard usage and top used dashboards of all the dashboards in my environment?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...