Solved: Locate when user(s) accessed dasboard

ralphw_SAIC · ‎03-25-2016

We have a group that is required to record when they review their individual dashboard. We are trying to use Splunk to show they logged in and viewed their dashboard. I am having issues figuring out a search to determine when a dashboard was accessed and by whom.

I just need the initial get of the dashboard, not every search that is in the dashboard.

richgalloway · ‎03-25-2016

I think this will get you started.

index=_internal source="*/splunkd_ui_access.log" "<myapp>/data/ui/views/<dashboard-name>" | table _time user uri_path

---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2 · ‎03-25-2016

I use this to track the same. (with some exclusion for settings type of dashboards)

index="_internal" source=*access* user!="-" user=* host=sk*s* OR host=sk*u* source="*splunkd_ui_access.log" "en-US/app"  | table _time user referer | rex field=referer "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search dashboard!="job_management" dashboard!="dbinfo" dashboard!="dbquery" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="dashboards" dashboard!="reports" dashboard!="report"

richgalloway · ‎03-25-2016

I think this will get you started.

index=_internal source="*/splunkd_ui_access.log" "<myapp>/data/ui/views/<dashboard-name>" | table _time user uri_path

---
If this reply helps you, Karma would be appreciated.

Locate when user(s) accessed dasboard

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?