Spread our blog

How To Track User Activity ( Modifications of dashboards ,  Permission Changes etc)  In Splunk

Hi guys

Welcome back, In your Splunk environment there can have multiple dashboards and also can have multiple users. So it’s very difficult to keep an eye on everything as an admin, which user is accessing which dashboard and when and what the modification they are doing.If you think this is difficult then after finishing this blog it will not be difficult for you. So lets  start.

So you just need to run this query.

index=_internal sourcetype=splunkd_ui_access method=post ui/views/
  | rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
  | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
  | table _time user clientip sessionId file useragent
  | rename file as dashboard

After this you will get the result.


But there are some limitations in this method, you can only get a dashboard accessing information by user. But what if any changes are made in the dashboard by the users? Any modification related information you can get by this following query.

index=_internal sourcetype=splunkd_access ( method=POST OR method=DELETE ) ( user!=splunk-system-user user!=- ) ( uri_path=/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!=/servicesNS/*/mobile_access* )
 | replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**","*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
 | where mvcount( split( uri_path , "/" ) ) > 6
 | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
 | rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)"
 | eval dashboard = urldecode( object_name )
 | table _time, user, dashboard, object_type, activity |search object_type = ui_views


Hope you all enjoyed this topic on How To Track User Activity ( Modifications of dashboards ,  Permission Changes etc)  In Splunk.

Happy Splunking!!

What’s your Reaction?

Spread our blog


Please enter your comment!
Please enter your name here