├── bin └── README ├── static ├── appIcon.png ├── appLogo.png ├── appIconAlt.png ├── appIcon_2x.png ├── appLogo_2x.png └── appIconAlt_2x.png ├── install └── admin_assistant.spl ├── default ├── app.conf └── data │ └── ui │ ├── nav │ └── default.xml │ └── views │ ├── alert_adoption.xml │ ├── server_overview.xml │ ├── home.xml │ ├── macros_explorer.xml │ ├── rbac_modifications.xml │ ├── license_usage.xml │ ├── event_types_explorer.xml │ ├── metrics_explorer.xml │ ├── splunkd_log_explorer.xml │ ├── data_model_utilization.xml │ ├── data_flow.xml │ ├── lookups_explorer.xml │ ├── popular_data.xml │ ├── rbac_explorer.xml │ ├── search_explorer.xml │ ├── admin_assistant_template.xml │ ├── user_logins.xml │ ├── bucket_explorer.xml │ └── dashboard_adoption.xml ├── metadata ├── default.meta └── local.meta ├── appserver └── static │ └── admin_assistant_stylesheet.css ├── SCREENSHOTS.md └── README.md /bin/README: -------------------------------------------------------------------------------- 1 | This is where you put any scripts you want to add to this app. 2 | -------------------------------------------------------------------------------- /static/appIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/static/appIcon.png -------------------------------------------------------------------------------- /static/appLogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/static/appLogo.png -------------------------------------------------------------------------------- /static/appIconAlt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/static/appIconAlt.png -------------------------------------------------------------------------------- /static/appIcon_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/static/appIcon_2x.png -------------------------------------------------------------------------------- /static/appLogo_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/static/appLogo_2x.png -------------------------------------------------------------------------------- /static/appIconAlt_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/static/appIconAlt_2x.png -------------------------------------------------------------------------------- /install/admin_assistant.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tmannel/admin_assistant/HEAD/install/admin_assistant.spl -------------------------------------------------------------------------------- /default/app.conf: -------------------------------------------------------------------------------- 1 | [default] 2 | 3 | [install] 4 | is_configured = 0 5 | install_source_checksum = e6b67dd2d03c9d1e12956116d7c9f1f8307c2d88 6 | 7 | [launcher] 8 | version = 1.2.0 9 | author = Tim Mannel, Splunk Sales Engineer 10 | description = The Admin Assistant allows Splunk admins to monitor data ingestion and onboarding, RBAC config, user onboarding, and more! Dashboard panels are powered by internal logs, the Splunk REST API, and reporting commands. 11 | 12 | [ui] 13 | is_visible = 1 14 | label = Admin Assistant 15 | -------------------------------------------------------------------------------- /metadata/default.meta: -------------------------------------------------------------------------------- 1 | 2 | # Application-level permissions 3 | 4 | [] 5 | access = read : [ * ], write : [ admin, power ] 6 | 7 | ### EVENT TYPES 8 | 9 | [eventtypes] 10 | export = system 11 | 12 | 13 | ### PROPS 14 | 15 | [props] 16 | export = system 17 | 18 | 19 | ### TRANSFORMS 20 | 21 | [transforms] 22 | export = system 23 | 24 | 25 | ### LOOKUPS 26 | 27 | [lookups] 28 | export = system 29 | 30 | 31 | ### VIEWSTATES: even normal users should be able to create shared viewstates 32 | 33 | [viewstates] 34 | access = read : [ * ], write : [ * ] 35 | export = system 36 | -------------------------------------------------------------------------------- /appserver/static/admin_assistant_stylesheet.css: -------------------------------------------------------------------------------- 1 | /* Give a little margin to separate sections. */ 2 | #html_header2, #html_header3, #html_header4 { 3 | margin-top: 25px !important; 4 | } 5 | 6 | /* This puts a nice gray bar that links the header and subsequent panels. Looks good. */ 7 | #html_header1, #html_header2, #html_header3, #html_header4 { 8 | background-color: lightgray; 9 | } 10 | 11 | /* IDs to apply fixed widths to panels. */ 12 | #customWidth_10 { 13 | width: 10% !important ; 14 | } 15 | 16 | #customWidth_25 { 17 | width: 25% !important; 18 | } 19 | 20 | 21 | #customWidth_75 { 22 | width: 75% !important; 23 | } 24 | 25 | #customWidth_90 { 26 | width: 90% !important; 27 | } 28 | -------------------------------------------------------------------------------- /SCREENSHOTS.md: -------------------------------------------------------------------------------- 1 | Home Dashboard: 2 | 3 | ![image](https://user-images.githubusercontent.com/49074445/85234875-b50f1e80-b3de-11ea-8786-d4aca73f503c.png) 4 | ![image](https://user-images.githubusercontent.com/49074445/85234890-ca844880-b3de-11ea-81ab-a1418dce9223.png) 5 | 6 | RBAC Explorer: 7 | 8 | ![image](https://user-images.githubusercontent.com/49074445/85234923-f99aba00-b3de-11ea-88f3-d06c77899d5f.png) 9 | ![image](https://user-images.githubusercontent.com/49074445/85234938-16cf8880-b3df-11ea-8ed9-5dd06ef58130.png) 10 | ![image](https://user-images.githubusercontent.com/49074445/85234946-25b63b00-b3df-11ea-9777-a4daba8c547a.png) 11 | 12 | Popular Data: 13 | 14 | ![image](https://user-images.githubusercontent.com/49074445/85235042-e805e200-b3df-11ea-97f2-358f9b5fa7ff.png) 15 | ![image](https://user-images.githubusercontent.com/49074445/85235051-f9e78500-b3df-11ea-965a-21737e1d345f.png) 16 | ![image](https://user-images.githubusercontent.com/49074445/85235056-07047400-b3e0-11ea-82ea-673a42a94737.png) 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # admin_assistant 2 | The Admin Assistant allows Splunk admins to monitor data ingestion and onboarding, RBAC config, user onboarding, and more! Dashboard panels are powered by internal logs, the Splunk REST API, and reporting commands. 3 | 4 | ## Installation 5 | Install pre-requisite visualization apps on search heads or search head cluster: 6 | - Sankey Diagram 7 | 8 | Install on Splunk monitoring console and/or search heads. No knowledge objects other than views are required for Admin Assistant. Two Options are available: 9 | 10 | - Install using git into the apps directory: 11 | 12 | ``` 13 | cd $SPLUNK_HOME/etc/apps 14 | git clone https://github.com/tmannel/admin_assistant 15 | ``` 16 | - Download the .spl package and upload via the Splunk UI: 17 | [link to .spl](https://adminassistantpackage.s3.amazonaws.com/admin_assistant.spl) 18 | 19 | ## Roadmap 20 | Introspection on indexers, search heads, heavy forwarders. Clustering insights. 21 | 22 | ## Author 23 | Tim Mannel, Splunk Solutions Engineer 24 | 25 | ## License 26 | Admin Assistant is licensed under the GNU Public Livense v3 free of charge. 27 | -------------------------------------------------------------------------------- /default/data/ui/nav/default.xml: -------------------------------------------------------------------------------- 1 | 39 | -------------------------------------------------------------------------------- /metadata/local.meta: -------------------------------------------------------------------------------- 1 | [app/ui] 2 | version = 7.3.1 3 | modtime = 1589578965.095563000 4 | 5 | [app/launcher] 6 | version = 7.3.1 7 | modtime = 1589578965.098414000 8 | 9 | [lookups/value_drivers.csv] 10 | owner = admin 11 | version = 7.1.2 12 | modtime = 1569018664.167465000 13 | 14 | [nav/default] 15 | version = 7.3.1 16 | modtime = 1589752188.369897000 17 | 18 | [views/data_summary] 19 | owner = admin 20 | version = 7.3.1 21 | modtime = 1589649101.313806000 22 | 23 | [views/rbac_explorer] 24 | owner = admin 25 | version = 7.3.1 26 | modtime = 1589757738.468930000 27 | 28 | [views/splunk_user_activity] 29 | owner = admin 30 | version = 7.1.2 31 | modtime = 1584499144.833722000 32 | 33 | [views/data_onboarding] 34 | owner = admin 35 | version = 7.3.1 36 | modtime = 1589756511.659443000 37 | 38 | [views/data_performance] 39 | access = read : [ * ], write : [ * ] 40 | export = none 41 | owner = admin 42 | version = 7.1.2 43 | modtime = 1584568542.626650000 44 | 45 | [views/bucket_explorer] 46 | version = 7.3.1 47 | modtime = 1588878737.613941000 48 | 49 | [views/dashboard_adoption] 50 | owner = admin 51 | version = 7.3.1 52 | modtime = 1588878335.681513000 53 | 54 | [app/install/install_source_checksum] 55 | version = 7.3.1 56 | modtime = 1584636984.617050000 57 | 58 | [views/user_adoption] 59 | version = 7.3.1 60 | modtime = 1589752286.861429000 61 | 62 | [indexes/wb_buckets] 63 | owner = admin 64 | version = 7.3.1 65 | modtime = 1584972529.029478000 66 | 67 | [] 68 | access = read : [ supportanalyst ], write : [ admin, power, splunk-system-role ] 69 | export = none 70 | version = 7.3.1 71 | modtime = 1586543427.844050000 72 | 73 | [panels/search_history] 74 | owner = admin 75 | version = 7.3.1 76 | modtime = 1586477674.536818000 77 | 78 | [views/home] 79 | owner = admin 80 | version = 7.3.1 81 | modtime = 1589757664.635088000 82 | 83 | [views/alert_adoption] 84 | access = read : [ supportanalyst ], write : [ admin, power, splunk-system-role ] 85 | export = none 86 | owner = admin 87 | version = 7.3.1 88 | modtime = 1588203711.469148000 89 | 90 | [app/package/check_for_updates] 91 | version = 7.3.1 92 | modtime = 1589578965.099473000 93 | -------------------------------------------------------------------------------- /default/data/ui/views/alert_adoption.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Explore user of alerts over time. 4 |
5 | 6 | 7 | 8 |

Alert Usage

9 |

Alert activity configured from this search head or search head cluster.

10 | 11 | 12 | 13 | 14 | 15 | Fired Alerts 16 | 17 | 18 | 19 | -7d@h 20 | now 21 | 22 | 23 | 24 | 25 | index="_internal" sourcetype="scheduler" alert_actions=* NOT alert_actions="" 26 | | timechart count by savedsearch_name 27 | $alerts_timepicker.earliest$ 28 | $alerts_timepicker.latest$ 29 | 30 | 31 | 32 | 33 | 34 | search?sid=$row.sid$ 35 | 36 | 37 | 38 | 39 | Fired Alert Detail 40 | 41 | 42 | index="_internal" sourcetype="scheduler" NOT alert_actions="" 43 | | reltime 44 | | table host _time reltime log_level user savedsearch_name app status action alert_actions result_count run_time 45 | | foreach _time 46 | [eval <<FIELD>>=strftime(<<FIELD>>, "%c")] 47 | -60m@m 48 | now 49 | 1 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 |
60 | 61 | 62 | 63 | 64 | Alerts 65 | 66 | $total_alert_count$ total alerts found. 67 | 68 | 69 | $job.resultCount$ 70 | 71 | | rest splunk_server=local /servicesNS/-/-/saved/searches 72 | | search actions=* NOT actions="" 73 | | fields splunk_server eai:acl.owner author eai:acl.app title description search actions triggered_alert_count actions alert.severity alert_threshold alert_comparator cron_schedule disabled 74 | $alerts_timepicker.earliest$ 75 | $alerts_timepicker.latest$ 76 | 1 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | {"0":#53A051,"1":#DC4E41} 88 | 89 | 90 | 91 | 92 | 93 |
94 | 95 | 96 |
97 | -------------------------------------------------------------------------------- /default/data/ui/views/server_overview.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | View components of your distributed Splunk deployment. 4 | 5 | 6 | | rest splunk_server=* servicesNS/-/-/server/info 7 | 8 | $timepicker.earliest$ 9 | $timepicker.latest$ 10 | 11 |
12 | 13 | 14 | 15 | -24h@h 16 | now 17 | 18 | 19 | 20 | 21 | All 22 | indexer 23 | shc_captain 24 | shc_member 25 | search_peer 26 | kv_store 27 | cluster_master 28 | cluster_slave 29 | cluster_search_head 30 | license_master 31 | deployment_server 32 | server_roles IN ( 33 | ) 34 | * 35 | , 36 | 37 | 38 | 39 | splunk_server IN ( 40 | ) 41 | * 42 | 43 |
44 | 45 | 46 | 47 |

Deployment Overview

48 |

View configured roles and ensure internal logs are forwarded to indexers.

49 | 50 | 51 | 52 | 53 | 54 | Servers by Roles 55 | 56 | Servers by Roles 57 | 58 | | search $splunk_server_token$ $server_roles_token$ 59 | | fields splunk_server server_roles 60 | | stats delim="; " values(server_roles) as server_roles by splunk_server 61 | | mvcombine server_roles 62 | | mvcombine splunk_server 63 | | eval number_of_servers = mvcount(splunk_server) 64 | | eval splunk_server = mvjoin(splunk_server, "; ") 65 | | addcoltotals number_of_servers labelfield=server_roles label="total" 66 | 67 | 68 | 69 | 70 | {"green":#53A051} 71 | 72 |
73 | 74 | 75 | 76 | 77 | 78 |

Server Details

79 |

From REST services/server/info

80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | | search $splunk_server_token$ 88 | | eval startup_time=strftime(startup_time, "%Y-%m-%d %H:%M:%S") 89 | | table health_info host splunk_server serverName product_type version activeLicense* licenseState os_name cpu_arch numberOfCores physicalMemoryMB fips_mode kvStoreStatus 90 | | sort host 91 | 92 | 93 | 94 | 95 | 96 | {"green":#53A051} 97 | 98 |
99 | 100 | 101 |
102 | -------------------------------------------------------------------------------- /default/data/ui/views/home.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | A landing page for Admin Assistant users. 4 | 5 | 6 | 7 | | rest /servicesNS/-/-/data/ui/views splunk_server=local 8 | | search eai:acl.app=admin_assistant 9 | | dedup title 10 | | stats count 11 | 12 | 13 | $result.views_in_this_app_baseSearch$ 14 | 15 | 16 | 17 | 18 | <h1 align="center">Welcome to Admin Assistant!</h1> 19 | <p align="center">Explore your data, users, performance, and more!</p> 20 | 21 | 22 | 23 | 24 | 25 | Admin Assistant Details 26 | 27 | | rest /services/apps/local/admin_assistant splunk_server=local 28 | | fields label title author version description eai:acl.perms.read eai:acl.perms.write eai:acl.sharing updated 29 | | eval value="value" 30 | | rename eai:acl.perms.* as *_permissions 31 | | transpose column_name=property header_field="value" 32 | -60m@m 33 | now 34 | 1 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 |
48 | 49 | 50 | 51 | Your User Context 52 | 53 | | rest /services/authentication/current-context splunk_server=local 54 | | eval is_admin=if(roles="admin", "y", "n"), rest_properties_get=if(capabilities="rest_properties_get", "y", "n"), list_metrics_catalog=if(capabilities="list_metrics_catalog", "y", "n"), get_metadata=if(capabilities="get_metadata", "y", "n") 55 | | eval lastLogin=strftime(last_successful_login,"%Y-%m-%d %H:%M") 56 | | eval timeSinceLastLogin=now()-last_successful_login 57 | | eval sinceLastLogin=case(timeSinceLastLogin < 3600, round(timeSinceLastLogin / 60) . " min ago", timeSinceLastLogin < 86400, round(timeSinceLastLogin / 3600) . " hours ago", 1=1, round(timeSinceLastLogin / 86400) . " days ago") 58 | | eval last_successful_login=lastLogin." - ".sinceLastLogin 59 | | table realname username email type roles defaultApp last_successful_login is_admin rest_properties_get list_metrics_catalog get_metadata 60 | | eval value="value" 61 | 62 | | transpose column_name=property header_field="value" 63 | | replace "y" with "y ✅" in value 64 | -60m@m 65 | now 66 | 1 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | {"y":#DCEDC8,"n":#FFCDD2} 78 | 79 |
80 | 81 | 82 | 83 | 84 | View Details 85 | 86 | 87 | | rest /servicesNS/-/-/data/ui/views splunk_server=local 88 | | search eai:acl.app=admin_assistant 89 | | fields label title description 90 | | sort label 91 | -60m@m 92 | now 93 | 1 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 |
104 | 105 | 106 | 107 | -------------------------------------------------------------------------------- /default/data/ui/views/macros_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Analyze your macros using the Splunk REST API. 4 | 5 | 6 | | rest splunk_server=* /servicesNS/-/-/configs/conf-macros 7 | | table splunk_server eai:acl.app title definition args errormsg eai:acl.perms.read eai:acl.perms.write eai:userName author disabled updated 8 | | rename eai:acl.* as * 9 | | sort app title 10 | 11 | $timepicker.earliest$ 12 | $timepicker.latest$ 13 | 14 | 15 |
16 | 17 | 18 | 19 | @w0 20 | now 21 | 22 | 23 | 24 | 25 | (splunk_server IN ( 26 | )) 27 | * 28 | 29 | 30 | 31 | All 32 | app 33 | app 34 | 35 | | fields app 36 | | dedup app 37 | | sort app 38 | 39 | , 40 | (app IN ( 41 | )) 42 | * 43 | 44 | 45 | 46 | All 47 | title 48 | title 49 | 50 | | search $appToken$ 51 | | fields title 52 | | dedup title 53 | | sort title 54 | 55 | , 56 | (title IN ( 57 | )) 58 | * 59 | 60 |
61 | 62 | 63 | <h1 align="center">Macros Summary</h1> 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | Found $app_count$ apps with macros. 72 | 73 | 74 | $job.resultCount$ 75 | 76 | | search $splunk_server_token$ $appToken$ $macroToken$ 77 | | chart dc(title) as count over app by disabled 78 | | addtotals fieldname="temp" 79 | | sort - temp 80 | | fields - temp 81 | | rename 0 as enabled, 1 as disabled 82 | | sort - count 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 |

Macro Details

105 | 106 | 107 | 108 | 109 | 110 | 111 | Found $lookupFile_count$ macros. REST endpoint: configs/conf-macros 112 | 113 | 114 | $job.resultCount$ 115 | 116 | | search $appToken$ $macroToken$ 117 | | replace 0 with "enabled", 1 with "disabled" in disabled 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 |
131 | 132 | 133 |
134 | -------------------------------------------------------------------------------- /default/data/ui/views/rbac_modifications.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | View changes made to users and roles. 4 | 5 | 6 | 7 | index=_audit info=granted (action=edit_user OR edit_role) 8 | | fields _time user action operation object host sourcetype 9 | 10 | $rbacMods_timepicker.earliest$ 11 | $rbacMods_timepicker.latest$ 12 | 13 |
14 | 15 | 16 | 17 | @w0 18 | now 19 | 20 | 21 | 22 | 23 | create 24 | edit 25 | remove 26 | list 27 | create,edit,remove 28 | ( 29 | ) 30 | operation= 31 | OR 32 | 33 | 34 | 35 | All 36 | ( 37 | ) 38 | * 39 | object= 40 | OR 41 | object 42 | object 43 | 44 | | fields object 45 | | dedup object 46 | 47 | 48 | 49 | 50 | host IN ( 51 | ) 52 | * 53 | 54 |
55 | 56 | 57 | 58 |

User and Role Modification History

59 | 60 | 61 | 62 | 63 | 64 | Modifications over Time 65 | 66 | 67 | object 68 | operation 69 | user 70 | host 71 | object 72 | 73 | 74 | Queries audit log, separates by user object, and colors by operation. List operations not shown. 75 | 76 | | search $objectToken$ $operationToken$ $hostToken$ 77 | | transaction user object operation maxspan=10m 78 | | timechart count by $rbacMod_splitBy$ 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | User and Role Modifications - Table 93 | 94 | 95 | | search $objectToken$ $operationToken$ action!="search" $hostToken$ 96 | | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") 97 | | table host user _time operation action object _raw 98 | | sort - _time 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | {"remove":#DC4E41,"create":#4FA484,"edit":#294E70,"list":#62B3B2} 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 |
128 | 129 | 130 |
131 | -------------------------------------------------------------------------------- /default/data/ui/views/license_usage.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Understand your license usage. 4 | 5 | 6 | 7 | index=_telemetry source="/opt/splunk/var/log/splunk/license_usage_summary.log" 8 | | bin _time span=1d 9 | | fields * 10 | | eval volume_converted=case( 11 | b>=(1024*1024*1024*1024),round(b/(1024*1024*1024*1024),0)." TB", 12 | b>=(1024*1024*1024),round(b/(1024*1024*1024),0)." GB", 13 | b>=(1024*1024),round(b/(1024*1024),0)." MB", 14 | b>=1024,round(b/1024,0)." KB", 15 | 1=1,b."B") 16 | | eval GB = round(b/(1024*1024*1024),2) 17 | 18 | $timepicker.earliest$ 19 | $timepicker.latest$ 20 | 21 | 22 | 23 | 24 | | metadata type=sourcetypes 25 | $timepicker.earliest$ 26 | $timepicker.latest$ 27 | 28 | 29 |
30 | 31 | 32 | 33 | -7d@h 34 | now 35 | 36 | 37 | 38 | 39 | All 40 | All internal 41 | title 42 | title 43 | 44 | | rest services/data/indexes 45 | | fields title 46 | | dedup title 47 | -24h@h 48 | now 49 | 50 | , 51 | index IN ( 52 | ) 53 | * 54 | 55 | 56 | 57 | All 58 | sourcetype IN ( 59 | ) 60 | sourcetype 61 | sourcetype 62 | , 63 | 64 | |fields sourcetype 65 | 66 | * 67 | 68 | 69 | 70 | host IN ( 71 | ) 72 | * 73 | 74 |
75 | 76 | 77 | 78 | 79 |

License Usage Overview

80 | 81 | 82 | 83 | 84 | 85 | 86 | Average Daily Ingest 87 | 88 | 89 | | timechart sum(GB) as GB span=1d 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | Ingest by Day of the Week 104 | 105 | | stats dc(_time) as days max(GB) as Max median(GB) as "Median" avg(GB) as Avg by date_wday 106 | | eval Avg = round(Avg, 2) 107 | | eval sort_order = case(date_wday = "sunday", "0", date_wday = "monday", "1", date_wday = "tuesday", "2", date_wday = "wednesday", "3", date_wday = "thursday", "4", date_wday = "friday", "5", date_wday = "saturday", "6") 108 | | sort sort_order 109 | | fields - sort_order 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 |
122 | 123 | 124 | 125 | 126 | 127 | 128 |

Ingest Over Time

129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | None 137 | index 138 | sourcetype 139 | host 140 | by index 141 | 142 | 143 | 144 | 145 | $job.resultCount$ 146 | $job.runDuration$ 147 | 148 | index=_internal source=*license_usage.log TERM(type=Usage) 149 | | fields idx, b, st, h, _time 150 | | rename idx as index, st as sourcetype 151 | | search $index_token$ 152 | | eval GB = round(b/(1024*1024*1024),2) 153 | | timechart sum(GB) as GB $split_by_token$ 154 | $timepicker.earliest$ 155 | $timepicker.latest$ 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 |
168 | -------------------------------------------------------------------------------- /default/data/ui/views/event_types_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Analyze your event types using the Splunk REST API. 4 | 5 | 6 | | rest splunk_server=* servicesNS/-/-/saved/eventtypes 7 | | rename eai:acl.* as * 8 | 9 | $timepicker.earliest$ 10 | $timepicker.latest$ 11 | 12 | 13 |
14 | 15 | 16 | 17 | @w0 18 | now 19 | 20 | 21 | 22 | 23 | All 24 | app 25 | app 26 | 27 | | fields app 28 | | dedup app 29 | | sort app 30 | 31 | , 32 | (app IN ( 33 | )) 34 | * 35 | 36 | 37 | 38 | (splunk_server IN ( 39 | )) 40 | * 41 | 42 | 43 | 44 | (title IN ( 45 | )) 46 | * 47 | 48 | 49 | 50 | tags IN ( 51 | ) 52 | * 53 | 54 |
55 | 56 | 57 | <h1 align="center">Event Type Summary</h1> 58 | 59 | 60 | 61 | 62 | 63 | 64 | Event Type Utilization by App 65 | 66 | Found $app_count$ distinct apps. 67 | 68 | 69 | $job.resultCount$ 70 | 71 | | search $splunk_server_token$ $appToken$ $eventtypeTitle_token$ $tag_token$ 72 | | stats dc(tags) as distinct_tags dc(splunk_server) as splunk_server_count count by app 73 | | sort - count 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 |
93 | 94 | 95 | 96 | Found $tag_count$ distinct tags. 97 | 98 | 99 | $job.resultCount$ 100 | 101 | | search $splunk_server_token$ $appToken$ $eventtypeTitle_token$ 102 | | stats values(*) as * by app title 103 | | table splunk_server app title search sharing tags 104 | | mvexpand tags 105 | | search $tag_token$ 106 | | stats dc(app) as distinct_apps values(app) as apps dc(splunk_server) as splunk_server_count dc(title) as eventtype_count by tags 107 | | sort - eventtype_count 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 |
129 | 130 | 131 | 132 | 133 | 134 |

Event Type Details

135 | 136 | 137 | 138 | 139 | 140 | 141 | Found $lookupFile_count$ eventtypes. 142 | 143 | 144 | $job.resultCount$ 145 | 146 | | search $splunk_server_token$ $appToken$ $eventtypeTitle_token$ $tag_token$ 147 | | stats values(*) as * by app title 148 | | eval title_lower=lower(title) 149 | | sort 0 title_lower 150 | | table splunk_server app title description search sharing tags disabled 151 | | replace 0 with " 0 (enabled)", 1 with "1 (disabled)" in disabled 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 |
165 | 166 | 167 |
168 | -------------------------------------------------------------------------------- /default/data/ui/views/metrics_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Analyze and understand your metrics indexes. 4 | 5 | 6 | |mcatalog values(_dims) as _dims where $indexToken$ $sourcetypeToken$ $hostToken$ $metric_nameToken$ by index sourcetype host metric_name 7 | $timepicker.earliest$ 8 | $timepicker.latest$ 9 | 10 | 11 | 12 | 13 |
14 | 15 | 16 | 17 | -4h@m 18 | now 19 | 20 | 21 | 22 | 23 | All non-internal 24 | All internal 25 | index 26 | index 27 | 28 | | mcatalog values(sourcetype) as sourcetype where index IN (*, _*) by index 29 | | sort index 30 | 0 31 | 32 | 33 | , 34 | *,_* 35 | index IN ( 36 | ) 37 | 38 | 39 | 40 | All 41 | sourcetype IN ( 42 | ) 43 | , 44 | sourcetype 45 | sourcetype 46 | 47 | | mcatalog values(sourcetype) as sourcetype where index IN (*, _*) 48 | | mvexpand sourcetype 49 | | sort sourcetype 50 | -24h@h 51 | now 52 | 53 | * 54 | 55 | 56 | 57 | All 58 | metric_name IN ( 59 | ) 60 | * 61 | , 62 | metric_name 63 | metric_name 64 | 65 | |mcatalog values(metric_name) as metric_name where index IN (*, _*)|mvexpand metric_name 66 | -24h@h 67 | now 68 | 69 | 70 | 71 | 72 | All 73 | host IN ( 74 | ) 75 | * 76 | , 77 | host 78 | host 79 | 80 | |mcatalog values(host) as host where index IN (*, _*)|mvexpand host|sort host 81 | -24h@h 82 | now 83 | 84 | 85 |
86 | 87 | 88 | 89 |

Available Metrics

90 |

By index, sourcetype, and available dimensions

91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | | stats values(_dims) as dimensions by index sourcetype metric_name 99 | | eval dimensions = mvjoin(dimensions, ", ") 100 | | mvcombine metric_name 101 | | eval metrics = mvjoin(metric_name, ", ") 102 | | table index sourcetype metrics dimensions 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 |
119 | 120 | 121 | 122 | 123 | 124 |

Metrics Ingestion

125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | index 133 | sourcetype 134 | metric_name 135 | - none - 136 | by 137 | index 138 | 139 | 140 | 141 | 1s 142 | 15s 143 | 1m 144 | 15m 145 | 1h 146 | 4h 147 | 1d 148 | 1w 149 | 1mo 150 | span= 151 | 15m 152 | 153 | 154 | Metrics Events over Time 155 | 156 | | mstats $spanToken$ count(_value) as foo where $indexToken$ $sourcetypeToken$ $hostToken$ $metric_nameToken$ by index sourcetype metric_name 157 | | timechart $spanToken$ limit=20 sum(foo) as count $splitBy_Token$ 158 | $timepicker.earliest$ 159 | $timepicker.latest$ 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 |
175 | -------------------------------------------------------------------------------- /default/data/ui/views/splunkd_log_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | 4 | 5 | index=_internal sourcetype=splunkd source="*splunkd.log" $host_token$ $log_level_token$ 6 | | fields _time host splunk_server log_level component event_message 7 | | reltime 8 | 9 | $internalLogs_timepicker.earliest$ 10 | $internalLogs_timepicker.latest$ 11 | 12 |
13 | 14 | 15 | 16 | -15m 17 | now 18 | 19 | 20 | 21 | 22 | All 23 | DEBUG 24 | INFO 25 | WARN 26 | ERROR 27 | FATAL 28 | ( 29 | ) 30 | WARN,ERROR 31 | log_level=" 32 | OR 33 | " 34 | 35 | 36 | 37 | host IN ( 38 | ) 39 | * 40 | 41 | 42 | 43 | * 44 | event_message=" 45 | " 46 | 47 |
48 | 49 | 50 | <h1 align="center">Logs Over Time</h1> 51 | 52 | 53 | 54 | 55 | 56 | 57 | host 58 | log_level 59 | component 60 | splunk_server 61 | event_message 62 | log_level 63 | 64 | 65 | 66 | | timechart count by $log_timechart_splitby$ 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | Recent Logs 107 | 108 | $recentLogs_resultCount$ logs found in time range. 109 | 110 | 111 | $job.resultCount$ 112 | 113 | 114 | strftime(strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S %p"),"%Y/%m/%d %H:%M:%S %p") 115 | strftime(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S %p"),"%Y/%m/%d %H:%M:%S %p") 116 | 117 | | table _time reltime host log_level component event_message sid 118 | | fieldformat _time = strftime(_time, "%Y-%m-%d %H:%M:%S") 119 | | sort - _time 120 | 121 | 122 | 123 | 124 | 125 | {"WARN":#F8BE34,"ERROR":#DC4E41,"INFO":#708794} 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 |
136 | 137 | 138 | 139 | 140 | <h1 align="center">Splunkd Log Details</h1> 141 | 142 | 143 | 144 | 145 | Top Messages 146 | 147 | $messages_resultCount$ unique messages found in time range. 148 | 149 | 150 | $job.resultCount$ 151 | 152 | 153 | $job.earliestTime$ 154 | 155 | | stats dc(host) as distinct_hosts latest(reltime) as last_seen sparkline as trend count by log_level component event_message 156 | | sort - count 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | {"INFO":#708794,"WARN":#F8BE34,"ERROR":#DC4E41} 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 184 | 185 | 186 |
187 | 188 | 189 |
190 | -------------------------------------------------------------------------------- /default/data/ui/views/data_model_utilization.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Understand your use of data models. 4 | 5 | 6 | 7 | | rest $splunk_server_token$ /servicesNS/-/-/datamodel/model 8 | | rename eai:acl.* as * 9 | | spath input=acceleration output=acceleration_enabled path=enabled 10 | | spath input=description output=fields objects{}.fields{}.fieldName 11 | | spath input=description output=tags objects{}.comment{}.tags{} 12 | | spath input=description output=autoextractSearch objects{}.autoextractSearch 13 | 14 | -1d 15 | now 16 | 17 | 18 | 19 | 20 | | search $displayName_token$ $app_token$ $status_token$ $acceleration_enabled_token$ 21 | 22 | 23 |
24 | 25 | 26 | 27 | splunk_server 28 | splunk_server 29 | 30 | 31 | | rest servicesNS/-/-/server/info 32 | | dedup splunk_server 33 | | fields splunk_server 34 | 35 | -24h@h 36 | now 37 | 38 | All 39 | local 40 | local 41 | splunk_server= 42 | 43 | 44 | 45 | All 46 | * 47 | OR 48 | ( 49 | ) 50 | displayName=" 51 | displayName 52 | displayName 53 | 54 | | dedup displayName 55 | 56 | " 57 | 58 | 59 | 60 | All 61 | * 62 | eai:acl.app 63 | eai:acl.app 64 | 65 | 66 | | rest /servicesNS/-/-/datamodel/model 67 | | fields eai:acl.app 68 | | dedup eai:acl.app 69 | 70 | -30d@d 71 | now 72 | 73 | OR 74 | ( 75 | ) 76 | app= 77 | 78 | 79 | 80 | true 81 | false 82 | (acceleration_enabled IN ( 83 | )) 84 | true,false 85 | , 86 | 87 | 88 | 89 | enabled 90 | disabled 91 | (disabled IN ( 92 | )) 93 | 0,1 94 | , 95 | disabled 96 | disabled 97 | 98 |
99 | 100 | 101 | <h1 align="center">Data Models Overview</h1> 102 | 103 | 104 | 105 | 106 | 107 | 108 | Distinct Counts 109 | 110 | | stats dc(title) as "distinct data models", dc(app) as "distinct apps", dc(tags) as "distinct tags", dc(splunk_server) as "distinct splunk servers" 111 | | transpose 0 column_name=property 112 | | rename "row 1" as value 113 | 114 | 115 | 116 |
117 | 118 | 119 | 120 | Distinct data models by app, enabled/disabled 121 | 122 | | chart dc(title) over app by disabled 123 | | addtotals fieldname=temp_field 124 | | sort - temp_field 125 | | fields - temp_field 126 | | rename 0 as enabled, 1 as disabled 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | Distinct data models by App, Acceleration 140 | 141 | | chart dc(title) over app by acceleration_enabled 142 | | addtotals fieldname=temp_field 143 | | sort - temp_field 144 | | fields - temp_field 145 | | rename false as "not accelerated", true as "accelerated" 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Data Model Details 160 | 161 | 162 | | rename eai:acl.* as * 163 | | streamstats values(tags) as tags by splunk_server app title 164 | | eval tags=mvjoin(tags, "; ") 165 | | table splunk_server app title displayName tags perms.* author acceleration_enabled disabled 166 | | rename eai:acl.* as * 167 | | sort disabled - acceleration_enabled splunk_server app 168 | | mvcombine splunk_server 169 | | replace 0 with "false", 1 with "true" in disabled 170 | | sort + disabled - acceleration_enabled + splunk_server app title 171 | 172 | 173 | 174 | 175 | 176 | 177 | {"0":#53A051,"1":#DC4E41} 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | {"false":#53A051} 205 | 206 | 207 | {"true":#53A051} 208 | 209 |
210 | 211 | 212 |
213 | -------------------------------------------------------------------------------- /default/data/ui/views/data_flow.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Explore data in events and indexes. 4 | 5 | 6 | | tstats prestats=t summariesonly=t count where $indexToken$ by _time index sourcetype host source splunk_server 7 | | fields _time index sourcetype host source splunk_server 8 | | search $sourcetypeToken$ AND $hostToken$ AND $splunk_serverToken$ 9 | |append 10 | [mstats span=1m count(_value) as count where $indexToken$ $sourcetypeToken$ $hostToken$ metric_name=* by index sourcetype host source] 11 | 12 | $eventFlow_timepicker.earliest$ 13 | $eventFlow_timepicker.latest$ 14 | 15 |
16 | 17 | 18 | 19 | @d 20 | now 21 | 22 | 23 | 24 | 25 | All 26 | All non-internal 27 | All internal 28 | ( 29 | ) 30 | index= 31 | OR 32 | title 33 | title 34 | 35 | | rest services/data/indexes datatype=all 36 | | fields title 37 | | dedup title 38 | -24h@h 39 | now 40 | 41 | * NOT index="_*" 42 | 43 | 44 | 45 | All 46 | sourcetype 47 | sourcetype 48 | 49 | | metadata type=sourcetypes index=* index=_* 50 | | fields sourcetype 51 | | dedup sourcetype 52 | 0 53 | 54 | 55 | sourcetype IN ( 56 | ) 57 | , 58 | * 59 | 60 | 61 | 62 | * 63 | host= 64 | 65 | 66 | 67 | * 68 | splunk_server= 69 | 70 |
71 | 72 | 73 | <h1 align="center">Data Overview</h1> 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | | stats dc(index) as "Indexes Seen" dc(sourcetype) as "Sourcetypes Seen" dc(host) as "Hosts Seen" dc(source) as "Sources Seen" dc(splunk_server) as "Indexers with Buckets" count as "Total Events" 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | | timechart dc(index) as "Indexes Seen" dc(sourcetype) as "Sourcetypes Seen" dc(host) as "Hosts Seen" dc(source) as "Sources Seen" dc(splunk_server) as "Indexers with Buckets" COUNT as "Total Events" 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | <h1 align="center">Data Flow Over Time</h1> 135 | 136 | 137 | 138 | 139 | 140 | Events over Time 141 | 142 | 143 | index 144 | sourcetype 145 | host 146 | source 147 | indexer 148 | index 149 | 150 | 151 | 152 | | eval index=ltrim(index, "VALUE") 153 | | timechart count by $splitBy_OverTime$ 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 |
192 | -------------------------------------------------------------------------------- /default/data/ui/views/lookups_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Analyze your lookups using the Splunk REST API. 4 | 5 | 6 | | rest splunk_server=local /servicesNS/-/-/data/lookup-table-files 7 | | eval source="file" 8 | | append 9 | [rest splunk_server=local /servicesNS/-/-/data/props/lookups 10 | |eval source="props"] 11 | | append 12 | [rest splunk_server=local /servicesNS/-/-/data/transforms/lookups 13 | |eval source="transforms"] 14 | 15 | | eval _time=strptime(updated, "%Y-%m-%dT%H:%M:%S%z") 16 | | fillnull _time value="0" 17 | 18 | | reltime 19 | | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") 20 | | eval updated=_time." (".reltime.")" 21 | | rename eai:acl.* as * 22 | | rename eai:* as * 23 | 24 | $timepicker.earliest$ 25 | $timepicker.latest$ 26 | 27 | 28 |
29 | 30 | 31 | 32 | @w0 33 | now 34 | 35 | 36 | 37 | 38 | All 39 | app 40 | app 41 | 42 | | fields app 43 | | dedup app 44 | | sort app 45 | 46 | , 47 | (app IN ( 48 | )) 49 | * 50 | 51 | 52 | 53 | (splunk_server IN ( 54 | )) 55 | * 56 | 57 |
58 | 59 | 60 | <h1 align="center">Lookups Summary</h1> 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | Lookup Utilization by App 69 | 70 | | search $splunk_server_token$ $appToken$ 71 | | chart count over app by source 72 | | addtotals fieldname="temp_sort" 73 | | sort - temp_sort 74 | | fields - temp_sort 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | KV Store Collections 92 | 93 | 94 | | rest splunk_server=local /servicesNS/-/-/server/introspection/kvstore/collectionstats 95 | | eval source="collections" 96 | | fillnull _time value="0" 97 | | reltime 98 | | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") 99 | | eval updated=_time." (".reltime.")" 100 | | rename eai:acl.* as * 101 | | rename eai:* as * 102 | | mvexpand data 103 | | spath input=data 104 | | fields - app 105 | | rex field=ns "(?<app>.*)\.(?<collection>.*)"| eval dbsize=round(size/1024/1024, 2) 106 | | eval indexsize=round(totalIndexSize/1024/1024, 2) 107 | | search $appToken$ 108 | | stats values(collection) as collections by app 109 | -24h@h 110 | now 111 | 1 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 |
120 | 121 | 122 | 123 | 124 | 125 |

Lookup Details

126 | 127 | 128 | 129 | 130 | 131 | Lookup Files 132 | 133 | 134 | All 135 | title 136 | title 137 | 138 | | search source=file $appToken$ 139 | | fields title 140 | | dedup title 141 | | sort title 142 | 143 | , 144 | (title IN ( 145 | )) 146 | * 147 | 148 | 149 | Found $lookupFile_count$ lookup files. REST endpoint: data/lookup-table-files 150 | 151 | 152 | $job.resultCount$ 153 | 154 | | search source=file $appToken$ $lookupFileTitle_token$ 155 | | eval perms.read=mvjoin('perms.read', "; ") 156 | | eval perms.write=mvjoin('perms.write',"; ") 157 | | table title app perms.* disabled author updated 158 | | sort - updated 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 |
168 | 169 | 170 | 171 | 172 | Props.conf Automatic Lookups 173 | 174 | 175 | All 176 | title 177 | title 178 | 179 | | search source=props $appToken$ 180 | | fields title 181 | | dedup title 182 | | sort title 183 | 184 | , 185 | (title IN ( 186 | )) 187 | * 188 | 189 | 190 | Found $propsLookup_count$ automatic lookups in props.conf. REST endpoint: data/props/lookups 191 | 192 | 193 | $job.resultCount$ 194 | 195 | | search source=props $appToken$ $automaticLookupTitle_token$ 196 | | eval perms.read=mvjoin('perms.read', "; ") 197 | | eval perms.write=mvjoin('perms.write',"; ") 198 | | table title app stanza transform value author splunk_server perms.* updated 199 | | sort - updated 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 |
208 | 209 | 210 | 211 | 212 | Transforms.conf Lookup Definitions 213 | 214 | 215 | All 216 | title 217 | title 218 | 219 | | search source=transforms $appToken$ 220 | | fields title 221 | | dedup title 222 | | sort title 223 | 224 | , 225 | (title IN ( 226 | )) 227 | * 228 | 229 | 230 | 231 | All 232 | file 233 | kvstore 234 | geo 235 | external 236 | * 237 | (type IN ( 238 | )) 239 | , 240 | 241 | 242 | Found $transformsLookup_count$ lookup definitions in transforms.conf. REST Endpoint: data/transforms/lookups 243 | 244 | 245 | $job.resultCount$ 246 | 247 | | search source=transforms $appToken$ $lookupDefinitionTitle_token$ $lookupDefinition_type_token$ 248 | | eval perms.read=mvjoin('perms.read', "; ") 249 | | eval perms.write=mvjoin('perms.write',"; ") 250 | | table title app type filename collection author splunk_server perms.* updated 251 | | sort - updated 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 |
261 | 262 | 263 |
264 | -------------------------------------------------------------------------------- /default/data/ui/views/popular_data.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Which data is searched most often? Limited to completed searches only. 4 | 5 | 6 | 7 | index=_audit source=audittrail sourcetype=audittrail action=search info=completed $search_userToken$ $searchFilter$ 8 | | fields _time user roles savedsearch_name total_run_time search_type search exec_time api_lt api_et event_count drop_count searched_buckets 9 | | rex "search=\'(?<thesearch>(?:\n|.)*?)\'\, autojoin" 10 | | rex field=search "(?:[^\"\']|^)index=(?<indexes_searched>[^\s\=]+)" 11 | | rex field=search "(?:[^\"\']|^)sourcetype=(?<sourcetypes_searched>[^\s\=]+)" 12 | | rex field=search "(?:[^\"\']|^)host=(?<hosts_searched>[^\s\=]+)" 13 | | rex field=search "(?<macros_searched>\`[^\s]+\`)" 14 | | foreach *_searched 15 | [ eval <<FIELD>>=ltrim(rtrim(<<FIELD>>, "\'\)\"\|"), "\'\)\"\|")] 16 | | eval roles=ltrim(rtrim(roles,"'"),"'") 17 | | makemv roles delim=+ 18 | | search $roleToken$ 19 | 20 | $search_timepicker.earliest$ 21 | $search_timepicker.latest$ 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | @w0 30 | now 31 | 32 | 33 | 34 | 35 | Index(es) searched 36 | Sourcetype(s) searched 37 | Macro(s) searched 38 | Host(s) searched 39 | indexes_searched 40 | 41 | 42 | 43 | All 44 | ( 45 | ) 46 | roles=* 47 | * 48 | OR 49 | title 50 | title 51 | 52 | | rest services/authorization/roles 53 | | fields title 54 | | dedup title 55 | -24h@h 56 | now 57 | 58 | * 59 | 60 | 61 | 62 | All User Accounts 63 | All 64 | splunk-system-user 65 | ( 66 | ) 67 | user= 68 | OR 69 | title 70 | title 71 | 72 | | rest splunk_server=local services/authentication/users 73 | -24h@h 74 | now 75 | 76 | * NOT user=splunk-system-user 77 | 78 | 79 | 80 | * 81 | search=" 82 | " 83 | 84 |
85 | 86 | 87 | <div class="expand-html-margins"> 88 | <h1 align="center">Common Search Terms</h1> 89 | <p align="center">Look for common queries like 'index='.</p> 90 | </div> 91 | 92 | 93 | 94 | 95 | Top Search Terms 96 | 97 | 98 | | stats dc(user) as "Distinct Users" mode(user) as "Top User" mode(roles) as "Top Roles" dc(savedsearch_name) as "Saved Searches" dc(search) as "Distinct Searches" sparkline as trend count by $popularData_splitBy$ 99 | | sort - count 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 |
127 | 128 | 129 | Search Term Prevalence Over Time 130 | 131 | 132 | | timechart usenull=f count by $popularData_splitBy$ 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | Percent of searches where term is used 149 | 150 | | fillnull value="search term not used" $popularData_splitBy$ 151 | | timechart count by $popularData_splitBy$ 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | <h1 align="center">Data Popularity by User and Role</h1> 173 | <p align="center">Monitor adoption and compliance with RBAC model.</p> 174 | 175 | 176 | 177 | 178 | Top Query Users 179 | 180 | 181 | roles 182 | user 183 | roles 184 | 185 | 186 | By Roles 187 | 188 | | stats dc(user) as "Distinct Users" mode(user) as "Top User" dc(savedsearch_name) as "Distinct Saved Searches" dc(search) as "Distinct Searches" sparkline as trend count by $popularity_splitBy$ 189 | | sort - count 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 |
225 | 226 | 227 | Popular Search Terms Values 228 | 229 | Sankey limited to top 30 in either category. 230 | 231 | | stats count by $popularData_splitBy$ $popularity_splitBy$ 232 | | sort - count 233 | | head 30 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 |
252 | -------------------------------------------------------------------------------- /default/data/ui/views/rbac_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Observe adherence to RBAC model design. Monitor system access. 4 | 5 | 6 | 7 | | rest $splunk_server_token$ servicesNS/-/-/data/indexes 8 | 9 | 10 | 11 | 12 | 13 | | rest $splunk_server_token$ /servicesNS/-/-/authorization/roles 14 | | eval number_capabilities=mvcount(capabilities) 15 | | eval capabilities_configured=if(number_capabilities > 0, "y", "n") 16 | | eval type=if(match(title,"^(?:admin|can_delete|power|splunk-system-role|user|ess_admin|ess_analyst|ess_user)$$"),"default","custom") 17 | | join type=left title 18 | [| rest /services/authentication/users 19 | | mvexpand roles 20 | | stats dc(title) as number_users by roles 21 | | rename roles as title] 22 | 23 | 24 | 25 | 26 | 27 | | rest $splunk_server_token$ /servicesNS/-/-/authentication/users 28 | | eval seconds_since_login=now()-last_successful_login 29 | | eval last_successful_login=strftime(last_successful_login,"%Y-%m-%d %H:%M") 30 | | eval elapsed_since_login=case(seconds_since_login < 3600, round(seconds_since_login / 60) . " min ago", 31 | seconds_since_login < 86400, round(seconds_since_login / 3600, 1) . " hours ago", 32 | seconds_since_login < 604800, round(seconds_since_login / 86400, 1) . " days ago", 33 | seconds_since_login < 31536000, round(seconds_since_login / 604800, 1) . " weeks ago", 34 | seconds_since_login >=31536000, round(seconds_since_login / 31536000, 1) . " yrs ago") 35 | | eval num_roles=mvcount(roles) 36 | 37 | 38 |
39 | 40 | 41 | All 42 | local 43 | splunk_server 44 | splunk_server 45 | 46 | | stats values(splunk_server) as splunk_server 47 | | mvexpand splunk_server 48 | 49 | * 50 | splunk_server= 51 | 52 |
53 | 54 | 55 | 56 |

Roles and Indexes Overview

57 | 58 | 59 | 60 | 61 | 62 | Roles 63 | 64 | 65 | |stats dc(splunk_server) 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | |stats dc(title) 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | |stats dc(title) 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | |stats dc(title) 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | Authentication Integrations 101 | 102 | | rest $splunk_server_token$ services/admin/SAML-groups 103 | | eval type="SAML-groups" 104 | | append 105 | [ rest splunk_server=* services/admin/LDAP-groups 106 | | eval type="LDAP-groups"] 107 | | table splunk_server type title roles author updated 108 | | stats dc(title) as group_count dc(roles) as role_count by splunk_server type 109 | | sort - group_count role_count 110 | -60m@m 111 | now 112 | 1 113 | 114 | 115 | 116 | 117 | {"total":#294E70} 118 | 119 | 120 | 121 | 122 | 123 |
124 | 125 | 126 | 127 | Roles by Type 128 | 129 | | stats dc(title) as number_roles by splunk_server type 130 | | sort - number_roles 131 | 132 | 133 | 134 | {"total":#294E70} 135 | 136 |
137 | 138 | 139 | 140 | Indexes by App 141 | 142 | | rename eai:acl.app as app 143 | | stats dc(title) as number_indexes by app 144 | | sort - number_indexes 145 | 146 | 147 | 148 | {"total":#294E70} 149 | 150 |
151 | 152 | 153 | 154 | Users by Admin, Type 155 | 156 | | eval is_admin=if(roles="admin", "y", "n") 157 | | mvcombine splunk_server 158 | | stats dc(title) as user_count by is_admin type 159 | | sort - user_count 160 | 161 | 162 | 163 | {"total":#708794} 164 | 165 | 166 | 167 | 168 | 169 | 170 | {"total":#294E70} 171 | 172 |
173 | 174 | 175 | 176 | 177 | 178 |

Explore Data Access

179 | 180 | 181 | 182 | 183 | 184 | Role Details 185 | 186 | 187 | ( 188 | ) 189 | title= 190 | OR 191 | title 192 | title 193 | 194 | | rest $splunk_server_token$ /services/authorization/roles 195 | | fields title 196 | | dedup title 197 | 0 198 | 199 | 200 | All 201 | * 202 | 203 | 204 | 205 | - any - 206 | _* 207 | * 208 | 209 | title 210 | title_token 211 | 212 | | rest $splunk_server_token$ services/data/indexes 213 | | dedup title 214 | | fields title 215 | | eval title_token="srchIndexesAllowed=".title 216 | -24h@h 217 | now 218 | 219 | 220 | 221 | 222 | - any - 223 | _* 224 | * 225 | 226 | title 227 | title_token 228 | 229 | | rest $splunk_server_token$ services/data/indexes 230 | | dedup title 231 | | fields title 232 | | eval title_token="imported_srchIndexesAllowed=".title 233 | -24h@h 234 | now 235 | 236 | 237 | 238 | 239 | yes 240 | no 241 | number_users 242 | 243 | 244 | 245 | | fields splunk_server title srchIndexesAllowed srchIndexesDefault srchFilter imported_roles imported_srchIndexesAllowed imported_srchFilter defaultApp author number_capabilities number_users capabilities 246 | | rename imported_* as "imported *" 247 | | search $role_token$ $srchIndexesAllowed_token$ 248 | | eval capabilities=mvjoin(capabilities,"; ") 249 | | table splunk_server title srchIndexesAllowed srchIndexesDefault srchFilter imported* defaultApp author number_capabilities $capabilities_token$ 250 | | sort - number_users updated 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 |
268 | 269 | 270 | 271 | 272 | Explore Users 273 | 274 | 275 | All 276 | ( 277 | ) 278 | * 279 | title= 280 | OR 281 | title 282 | title 283 | 284 | | rest /services/authentication/users 285 | | fields title 286 | | dedup title 287 | 0 288 | 289 | 290 | 291 | 292 | 293 | All 294 | ( 295 | ) 296 | * 297 | roles= 298 | OR 299 | title 300 | title 301 | 302 | | rest /services/authorization/roles 303 | | fields title 304 | | dedup title 305 | 0 306 | 307 | 308 | 309 | 310 | Queries REST /services/authentication/users for all roles assigned to a user. 311 | 312 | | eval last_successful_login=last_successful_login." - ".elapsed_since_login | search $userSrch_user_token$ $userSrch_role_token$ 313 | | rename title as userName, realname as Name 314 | | table splunk_server Name userName email roles defaultApp type last_successful_login 315 | | sort - lastLogin 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 |
329 | 330 | 331 |
332 | -------------------------------------------------------------------------------- /default/data/ui/views/search_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Audit all searches. 4 | 5 | 6 | 7 | index=_audit source=audittrail sourcetype=audittrail action=search exec_time!="" $search_infoToken$ $search_userToken$ 8 | | fields _time user roles info savedsearch_name total_run_time search_type search exec_time api_lt api_et event_count drop_count searched_buckets 9 | | eval type=if(savedsearch_name="","ad-hoc","saved") 10 | | eval roles=rtrim(ltrim(roles, "'"),"'") 11 | | eval search=rtrim(ltrim(search, "'search "),"'") 12 | | eval range_sec=api_lt-api_et 13 | | eval range=case(range_sec < 3600, round(range_sec / 60) . " min", 14 | range_sec < 86400, round(range_sec / 3600, 1) . " hrs", 15 | range_sec < 31536000, round(range_sec / 86400, 1) . " days", 16 | range_sec >=31536000, round(range_sec / 31536000, 1) . " yrs") 17 | | foreach api_* exec_time 18 | [ eval <<FIELD>>=strftime(<<FIELD>>, "%Y-%m-%d %H:%M:%S")] 19 | | rename api_et as "Range (earliest)", api_lt as "Range (latest)" 20 | | makemv roles delim=+ 21 | | eval number_roles=mvcount(roles) 22 | | search $roleToken$ $typeFilter$ 23 | 24 | $search_timepicker.earliest$ 25 | $search_timepicker.latest$ 26 | 27 | 28 | 29 |
30 | 31 | 32 | 33 | -60m@m 34 | now 35 | 36 | 37 | 38 | 39 | All 40 | completed 41 | canceled 42 | failed 43 | pause 44 | granted 45 | ( 46 | ) 47 | info= 48 | OR 49 | * 50 | 51 | 52 | 53 | All 54 | ( 55 | ) 56 | roles= 57 | OR 58 | title 59 | title 60 | 61 | | rest services/authorization/roles 62 | | fields title 63 | | dedup title 64 | -24h@h 65 | now 66 | 67 | * 68 | 69 | 70 | 71 | All User Accounts 72 | All 73 | splunk-system-user 74 | ( 75 | ) 76 | user= 77 | OR 78 | title 79 | title 80 | 81 | | rest splunk_server=local services/authentication/users 82 | -24h@h 83 | now 84 | 85 | * NOT user=splunk-system-user 86 | 87 | 88 | 89 | ad-hoc 90 | saved 91 | ad-hoc,saved 92 | ( 93 | ) 94 | type= 95 | OR 96 | 97 |
98 | 99 | 100 | 101 |

Search Overview

102 | 103 | 104 | 105 | 106 | 107 | Search Overview 108 | 109 | 110 | | stats count as "Total Searches" dc(user) as "Distinct Users" dc(savedsearch_name) as "Distinct Saved Searches" dc(search) as "Distinct Searches" 111 | | transpose 112 | | rename column as metric, "row 1" as value 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 |
137 | 138 | 139 | Search Performance 140 | 141 | 142 | | stats max(total_run_time) as "Longest Search Runtime" perc90(total_run_time) as "Perc90 Search Runtime" avg(total_run_time) as "Average Search Runtime" median(total_run_time) as "Median Search Runtime" 143 | | transpose 144 | | rename column as "Search Metric", "row 1" as value 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 |
185 | 186 | 187 | Role Invocation 188 | 189 | 190 | | eval number_roles_invoked=mvcount(roles) 191 | | stats max(number_roles_invoked) as "Max Roles Invoked" perc90(number_roles_invoked) as "Perc90 Roles Invoked" avg(number_roles_invoked) as "Avg Roles Invoked" median(number_roles_invoked) as "Median Roles Invoked" 192 | | transpose 193 | | rename column as "Search Metric", "row 1" as value 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 |
238 | 239 | 240 | 241 | 242 | 243 |

Searches Over Time

244 | 245 | 246 | 247 | 248 | 249 | Search Overview 250 | 251 | Based on time range selected. 252 | 253 | | timechart count as "Total Searches" dc(user) as "Distinct Users" dc(savedsearch_name) as "Distinct Saved Searches" dc(search) as "Distinct Searches" 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | info 273 | user 274 | type 275 | info 276 | 277 | 278 | 279 | | timechart count by $splitby_token$ 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 |

Search Details

298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") 306 | | table _time exec_time user roles info savedsearch_name type search "Range (earliest)" "Range (latest)" range_sec range event_count drop_count searched_buckets total_run_time 307 | | sort - _time 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | {"completed":#53A051,"canceled":#F8BE34,"failed":#DC4E41,"cancel":#F8BE34,"granted":#006400} 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 |
355 | 356 | 357 |
358 | -------------------------------------------------------------------------------- /default/data/ui/views/admin_assistant_template.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Audit all searches. 4 | 5 | 6 | 7 | index=_audit source=audittrail sourcetype=audittrail $host_token$ action=search exec_time!="" $search_infoToken$ $search_userToken$ 8 | | fillnull app value="-" 9 | | search $app_token$ 10 | | fields _time host user roles info app savedsearch_name total_run_time search_type search exec_time api_lt api_et event_count drop_count searched_buckets 11 | | eval type=if(savedsearch_name="","ad-hoc","saved") 12 | | eval roles=rtrim(ltrim(roles, "'"),"'") 13 | | eval search=rtrim(ltrim(search, "'search "),"'") 14 | | eval range_sec=api_lt-api_et 15 | | eval range=case(range_sec < 3600, round(range_sec / 60) . " min", 16 | range_sec < 86400, round(range_sec / 3600, 1) . " hrs", 17 | range_sec < 31536000, round(range_sec / 86400, 1) . " days", 18 | range_sec >=31536000, round(range_sec / 31536000, 1) . " yrs") 19 | | foreach api_* exec_time 20 | [ eval <<FIELD>>=strftime(<<FIELD>>, "%Y-%m-%d %H:%M:%S")] 21 | | rename api_et as "Range (earliest)", api_lt as "Range (latest)" 22 | | makemv roles delim=+ 23 | | eval number_roles=mvcount(roles) 24 | | search $roleToken$ $typeFilter$ 25 | 26 | $search_timepicker.earliest$ 27 | $search_timepicker.latest$ 28 | 29 | 30 | 31 |
32 | 33 | 34 | 35 | -60m@m 36 | now 37 | 38 | 39 | 40 | 41 | host IN ( 42 | ) 43 | , 44 | host 45 | host 46 | 47 | | rest servicesNS/-/-/server/info 48 | | dedup host 49 | | fields host 50 | -365d@d 51 | now 52 | 53 | All 54 | * 55 | 56 | 57 | 58 | All 59 | completed 60 | canceled 61 | failed 62 | pause 63 | granted 64 | ( 65 | ) 66 | info= 67 | OR 68 | * 69 | 70 | 71 | 72 | All 73 | ( 74 | ) 75 | roles= 76 | OR 77 | title 78 | title 79 | 80 | | rest services/authorization/roles 81 | | fields title 82 | | dedup title 83 | -24h@h 84 | now 85 | 86 | * 87 | 88 | 89 | 90 | All 91 | app IN ( 92 | ) 93 | * 94 | , 95 | title 96 | title 97 | 98 | |rest splunk_server=* servicesNS/-/-/apps/local 99 | 100 | 101 | 102 | 103 | All User Accounts 104 | All 105 | splunk-system-user 106 | ( 107 | ) 108 | user= 109 | OR 110 | title 111 | title 112 | 113 | | rest splunk_server=* services/authentication/users 114 | -24h@h 115 | now 116 | 117 | * NOT user=splunk-system-user 118 | 119 | 120 | 121 | ad-hoc 122 | saved 123 | ad-hoc,saved 124 | ( 125 | ) 126 | type= 127 | OR 128 | 129 |
130 | 131 | 132 | 133 |

Search Overview

134 | 135 | 136 | 137 | 138 | 139 | Search Overview 140 | 141 | 142 | | stats count as "Total Searches" dc(user) as "Distinct Users" dc(savedsearch_name) as "Distinct Saved Searches" dc(search) as "Distinct Searches" 143 | | transpose 144 | | rename column as metric, "row 1" as value 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 |
164 | 165 | 166 | Search Performance 167 | 168 | 169 | | stats max(total_run_time) as "Longest Search Runtime" perc90(total_run_time) as "Perc90 Search Runtime" avg(total_run_time) as "Average Search Runtime" median(total_run_time) as "Median Search Runtime" 170 | | transpose 171 | | rename column as "Search Metric", "row 1" as value 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 |
212 | 213 | 214 | Role Invocation 215 | 216 | 217 | | eval number_roles_invoked=mvcount(roles) 218 | | stats max(number_roles_invoked) as "Max Roles Invoked" perc90(number_roles_invoked) as "Perc90 Roles Invoked" avg(number_roles_invoked) as "Avg Roles Invoked" median(number_roles_invoked) as "Median Roles Invoked" 219 | | transpose 220 | | rename column as "Search Metric", "row 1" as value 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 |
265 | 266 | 267 | 268 | 269 | 270 |

Searches Over Time

271 | 272 | 273 | 274 | 275 | 276 | Search Overview 277 | 278 | Based on time range selected. 279 | 280 | | timechart count as "Total Searches" dc(user) as "Distinct Users" dc(savedsearch_name) as "Distinct Saved Searches" dc(search) as "Distinct Searches" 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | info 300 | user 301 | type 302 | app 303 | info 304 | 305 | 306 | 307 | | timechart count by $splitby_token$ 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 |

Search Details

326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | Show search 334 | Don't show search 335 | 336 | 337 | 338 | 339 | | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") 340 | | table _time host app exec_time user roles savedsearch_name type "Range (earliest)" "Range (latest)" range_sec range event_count drop_count searched_buckets total_run_time $show_search_token$ info 341 | | eval roles=mvjoin(roles, "; ") 342 | | sort - _time 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | {"completed":#53A051,"canceled":#F8BE34,"failed":#DC4E41,"cancel":#F8BE34,"granted":#006400} 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 |
382 | 383 | 384 |
385 | -------------------------------------------------------------------------------- /default/data/ui/views/user_logins.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Analyze user logins and authentication activity. 4 | 5 | 6 | 7 | index=_audit sourcetype=audittrail action="login attempt" $userToken$ $useragent_token$ $host_token$ $info_token$ 8 | | fields _time user host info clientip useragent session src reason method 9 | | join user 10 | [ | rest /servicesNS/-/-/authentication/users 11 | | rename title as user 12 | | fields user roles] 13 | | search $roleToken$ 14 | 15 | $login_timerange_token.earliest$ 16 | $login_timerange_token.latest$ 17 | 18 |
19 | 20 | 21 | 22 | @w0 23 | now 24 | 25 | 26 | 27 | 28 | All 29 | * 30 | ( 31 | ) 32 | roles= 33 | OR 34 | title 35 | title 36 | 37 | | rest /servicesNS/-/-/authorization/roles 38 | | fields title 39 | | dedup title 40 | -24h@h 41 | now 42 | 43 | 44 | 45 | 46 | All 47 | * 48 | ( 49 | ) 50 | user= 51 | OR 52 | title 53 | title 54 | 55 | | rest /servicesNS/-/-/authentication/users 56 | | fields title 57 | | dedup title 58 | -24h@h 59 | now 60 | 61 | 62 | 63 | 64 | All 65 | succeeded 66 | failed 67 | (info IN ( 68 | )) 69 | * 70 | , 71 | 72 | 73 | 74 | * 75 | 76 | 77 | 78 | * 79 | (host IN ( 80 | )) 81 | 82 |
83 | 84 | 85 | 86 |

Logins Overview

87 | 88 | 89 | 90 | 91 | 92 | Logins by Info 93 | 94 | 95 | | stats dc(user) as "Distinct Users" dc(host) as "Distinct Hosts" count by info 96 | | sort - count 97 | | addcoltotals count labelfield="Distinct Users" label=total 98 | 99 | 100 | 101 | 102 | {"succeeded":#53A051,"failed":#DC4E41,"total":#294E70} 103 | 104 | 105 | 106 | 107 | 108 | 109 | {"total":#294E70} 110 | 111 |
112 | 113 | 114 | Successful Logins 115 | 116 | 117 | | search info="succeeded" 118 | | bin _time span=1d 119 | | stats dc(user) as daily_users count as daily_logins by _time 120 | | stats max(daily_users) as "Max Daily Users" avg(daily_users) as "Average Daily Users" median(daily_users) as "Median Daily Users" max(daily_logins) as "Max Daily Logins" avg(daily_logins) as "Average Daily Logins" median(daily_logins) as "Median Daily Logins" 121 | | transpose 122 | | rename column as "Successful Login Metric", "row 1" as "Value" 123 | 124 | 125 | 126 | 127 | 128 | 129 |
130 | 131 | 132 | Failed Logins 133 | 134 | 135 | | search info="failed" 136 | | bin _time span=1d 137 | | stats dc(user) as daily_users count as daily_logins by _time 138 | | stats max(daily_users) as "Max Daily Users" avg(daily_users) as "Average Daily Users" median(daily_users) as "Median Daily Users" max(daily_logins) as "Max Daily Failures" avg(daily_logins) as "Average Daily Failures" median(daily_logins) as "Median Daily Failures" 139 | | transpose 140 | | rename column as "Failed Login Metric", "row 1" as "Value" 141 | 142 | 143 | 144 | 145 | 146 | 147 |
148 | 149 | 150 | 151 | 152 | 153 |

Logins Over Time

154 | 155 | 156 | 157 | 158 | 159 | 160 | Successful 161 | 162 | | search info=succeeded 163 | | timechart dc(user) as "Distinct Users" count 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | Failed 207 | 208 | | search info=failed 209 | | timechart dc(user) as "Distinct Users" count 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 |

Successful Login Details

257 | 258 | 259 | 260 | 261 | 262 | Successful Logins by User 263 | 264 | 265 | | search info=succeeded 266 | | stats values(roles) as "roles" values(host) as "hosts" values(clientip) as "client ips" sparkline as trend count by user 267 | | sort - count 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 |
284 | 285 | 286 | Successful Logins by Roles 287 | 288 | 289 | | search info=succeeded 290 | | stats values(host) as hosts dc(user) as "Distinct Users" mode(user) as "Top User" sparkline as trend count by roles 291 | | sort - count 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 |
311 | 312 | 313 | 314 | 315 | Successful Logins Table 316 | 317 | 318 | | search info=succeeded 319 | | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") 320 | | table _time method reason user roles host clientip useragent info 321 | | sort - _time 322 | 323 | 324 | 325 | 326 | 327 | 328 | {"succeeded":#53A051} 329 | 330 | 331 | 332 | 333 | 334 |
335 | 336 | 337 | 338 | 339 | 340 |

Failed Login Details

341 | 342 | 343 | 344 | 345 | 346 | Failed Logins by User 347 | 348 | 349 | | search info=failed 350 | | stats values(roles) as "roles" values(host) as "hosts" values(src) as "sources" sparkline as trend count by user 351 | | sort - count 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 |
368 | 369 | 370 | Failed Logins by Roles 371 | 372 | 373 | | search info=failed 374 | | stats values(host) dc(user) as "Distinct Users" mode(user) as "Top User" sparkline as trend count by roles 375 | | sort - count 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 |
395 | 396 | 397 | 398 | 399 | Failed Logins Table 400 | 401 | 402 | | search info=failed 403 | | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") 404 | | table _time user roles host src info 405 | | sort - _time 406 | 407 | 408 | 409 | 410 | 411 | 412 | {"failed":#DC4E41} 413 | 414 | 415 | 416 | 417 | 418 |
419 | 420 | 421 |
422 | -------------------------------------------------------------------------------- /default/data/ui/views/bucket_explorer.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | == HOW TO USE == Filter the entire dashboard using the inputs at the top with the submit button. Individual dashboards have additional inputs. 4 | 5 | 6 | 7 | index=_internal sourcetype=splunkd source="*splunkd.log" component=HotBucketRoller 8 | | fields _time idx host splunk_server size from to bid event_message 9 | | rename idx as index 10 | | search $bucket_index_token$ 11 | 12 | $bucketRoll_timepicker.earliest$ 13 | $bucketRoll_timepicker.latest$ 14 | 15 | 16 | 17 |
18 | 19 | 20 | All 21 | All non-internal 22 | ( 23 | ) 24 | index= 25 | OR 26 | index 27 | index 28 | 29 | | dbinspect index=* 30 | | fields index 31 | | dedup index 32 | 0 33 | 34 | 35 | * NOT index="_*" 36 | 37 |
38 | 39 | 40 | <h1 align="center" style="{background-color: lightgray !important;}">Explore Buckets</h1> 41 | 42 | 43 | 44 | 45 | Bucket Statistics 46 | 47 | 48 | 49 | 0 50 | 51 | 52 | 53 | 54 | 55 | hot 56 | warm 57 | cold 58 | frozen 59 | ( 60 | ) 61 | state= 62 | OR 63 | hot,warm,cold,frozen 64 | 65 | 66 | 67 | index 68 | splunk_server (indexer) 69 | bucket state 70 | index,splunk_server,state 71 | 72 | 73 | 74 | dbinspect query returning bucket metrics by bucket state and index. 75 | 76 | | dbinspect index=* datatype=all 77 | | fields bucketId index state eventCount startEpoch endEpoch hostCount rawSize sizeOnDiskMB sourceCount sourceTypeCount splunk_server 78 | | search $bucket_index_token$ $bucket_state_token$ 79 | | eval rawMB=((rawSize/1024)/1024) 80 | | eval rawGB=rawMB/1024 81 | | eval sizeOnDiskGB=sizeOnDiskMB/1024 82 | | stats dc(bucketId) as "Number of Buckets" sum(eventCount) as "Total Events" min(startEpoch) as first_seen max(endEpoch) as last_seen avg(sourceCount) as "Avg Sources per Bucket" avg(sourceTypeCount) as "Avg Sourcetypes per Bucket" sum(sizeOnDiskMB) as "MB on Disk" sum(sizeOnDiskGB) as "GB on Disk" sum(rawMB) as "Raw MB" sum(rawGB) as "Raw GB" by $bucketStatistics_splitBy$ 83 | | eval range_s = last_seen - first_seen 84 | | eval range_string = tostring(range_s, "duration") 85 | | eval range=if(match(range_string,"\+"),replace(range_string,"(\d+)\+(\d+)\:(\d+)\:(\d+)","\1 Day \2 Hr \3 Min \4 Secs"),replace(range_string,"(\d+)\:(\d+)\:(\d+)","\1 Hr \2 Min \3 Secs")) 86 | | foreach *_seen 87 | [ convert ctime(<>) timeformat="%Y-%m-%d %H:%M:%S"] 88 | | eval sort_field=case(state="hot",1,state="warm",2,state="cold",3) 89 | | sort index, sort_field, -"Compressed MB on Disk" 90 | | table $bucketStatistics_splitBy$ first_seen last_seen range_s range span* "Number of Buckets" "Total Events" *Bucket *Disk Raw* 91 | $bucketModified_token.earliest$ 92 | $bucketModified_token.latest$ 93 | 1 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | {"hot":#DC4E41,"warm":#F1813F,"cold":#62B3B2,"frozen":#006D9C} 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 |
262 | 263 | 264 | 265 | 266 | Hot to Warm Rolls Over Time 267 | 268 | 269 | 270 | @w0 271 | now 272 | 273 | 274 | 275 | 276 | index 277 | splunk_server 278 | index 279 | 280 | 281 | queries HotBucketRoller component in splunkd.log 282 | 283 | 284 | | timechart count by $rolls_splitBy$ 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | Hot to Warm Rolls 322 | 323 | 324 | | table _time host splunk_server index size from to bid event_message 325 | | sort - _time 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 |
359 | 360 | 361 | 362 | 363 | <h1 align="center" style="{background-color: lightgray !important;}">View Index Configuration</h1> 364 | 365 | 366 | 367 | 368 | 369 | 370 | | rest /servicesNS/-/-/data/indexes datatype=all 371 | | eval frzHours=frozenTimePeriodInSecs/3600 372 | | eval frzDays=frzHours/24 373 | | eval frzYears=frzDays/365 374 | | eval maxHotSpanDays=maxHotSpanSecs/86400 375 | | rename title as index, eai:acl.app as app 376 | | table app splunk_server index datatype totalEventCount minTime maxTime repFactor maxMemMB frozenTimePeriodInSecs frz* maxHotSpanDays currentDBSizeMB maxTotalDataSizeMB maxHotBuckets maxWarmDBCount maxDataSize homePath.maxDataSizeMB coldPath.maxDataSizeMB 377 | | search $bucket_index_token$ 378 | | sort - maxTime 379 | -24h@h 380 | now 381 | 1 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 |
489 | 490 | 491 |
492 | -------------------------------------------------------------------------------- /default/data/ui/views/dashboard_adoption.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Explore use of dashboards over time. Base search queries splunkd_ui_access. 4 | 5 | 6 | 7 | index="_internal" sourcetype=splunkd_ui_access $dashboardAdoption_userFilter$ "en-US/app" 8 | | fields _time user bytes uri_path file sid spent 9 | | rex field=uri_path "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" 10 | | join user 11 | [ | rest splunk_server=local services/authentication/users 12 | | rename title as user 13 | | fields user roles] 14 | |search $dashboardAdoption_roleFilter$ 15 | 16 | $dashboardAdoption_timepicker.earliest$ 17 | $dashboardAdoption_timepicker.latest$ 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | @w0 26 | now 27 | 28 | 29 | 30 | 31 | ( 32 | ) 33 | roles= 34 | OR 35 | title 36 | title 37 | 38 | | rest splunk_server=local /services/authorization/roles 39 | | fields title 40 | | dedup title 41 | -24h@h 42 | now 43 | 44 | All 45 | * 46 | 47 | 48 | 49 | All 50 | ( 51 | ) 52 | user= 53 | OR 54 | title 55 | title 56 | 57 | | rest services/authentication/users splunk_server=local 58 | | fields title 59 | | dedup title 60 | -24h@h 61 | now 62 | 63 | * 64 | 65 |
66 | 67 | 68 | <h1 align="center">Dashboards Overview</h1> 69 | 70 | 71 | 72 | 73 | 74 | Dashboard Adoption Metrics 75 | 76 | User Activity for entire time range selected above. 77 | 78 | | stats count as "Total Page Views" dc(user) as "Distinct Users" dc(app) as "Distinct Apps" dc(dashboard) as "Distinct Dashboards" 79 | | transpose 80 | | rename column as metric, "row 1" as value 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 |
89 | 90 | 91 | Total Dashboards 92 | 93 | by rootNode 94 | 95 | | rest services/data/ui/views splunk_server=local 96 | | dedup title 97 | | stats count by rootNode 98 | | sort - count 99 | | addcoltotals count labelfield=rootNode label=total 100 | -24h@h 101 | now 102 | 103 | 104 | 105 | 106 | {"total":#294E70} 107 | 108 | 109 | 110 | 111 | 112 |
113 | 114 | 115 | Total Dashboards by App 116 | 117 | ALL configured dashboards - NOT a count of user views. 118 | 119 | | rest services/data/ui/views splunk_server=local 120 | | dedup title 121 | | stats count by eai:acl.app 122 | | addcoltotals count labelfield=rootNode label=total 123 | -24h@h 124 | now 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 |

Dashboards over Time

136 |

Adoption of dashboards across the user base over time.

137 | 138 | 139 | 140 | 141 | 142 | Dashboards Adoption Metrics Over Time 143 | 144 | 145 | | timechart count as "Total Page Views" dc(user) as "Distinct Users" dc(app) as "Distinct Apps" dc(dashboard) as "Distinct Dashboards" 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | Apps and Dashboard Page Views Over Time 186 | 187 | 188 | dashboard 189 | app 190 | user 191 | dashboard 192 | 193 | 194 | 195 | 196 | | timechart count by $timechart_splitBy$ 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | <h1 align="center">Top Dashboards</h1> 236 | <p align="center">By app and user.</p> 237 | 238 | 239 | 240 | 241 | Top 10 Dashboards 242 | 243 | 244 | app 245 | user 246 | app 247 | 248 | 249 | 250 | | chart count as views over dashboard by $top10dashboard_splitBy$ 251 | | addtotals fieldname=temp_sort 252 | | sort - temp_sort 253 | | head 10 254 | | fields - temp_sort 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | Top 10 Apps 292 | 293 | 294 | dashboard 295 | user 296 | dashboard 297 | 298 | 299 | 300 | | chart count over app by $top10Apps_splitBy$ 301 | | addtotals fieldname=temp_sort 302 | | sort - temp_sort 303 | | head 10 304 | | fields - temp_sort 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | Top 10 Users 343 | 344 | 345 | dashboard 346 | app 347 | dashboard 348 | 349 | 350 | 351 | | chart count as views over user by $top10user_splitBy$ 352 | | addtotals fieldname=temp_sort 353 | | sort - temp_sort 354 | | head 10 355 | | fields - temp_sort 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 |

Modifications

396 |

Create, delete, update, and edit actions on view objects.

397 | 398 | 399 | 400 | 401 | 402 | Dashboard Modifications 403 | 404 | Queries internal access logs and displays dashboard modifications over time. 405 | 406 | index=_internal uri_path=/en-US/splunkd/__raw/servicesNS/*/*/data/ui/views/* method=POST 407 | | rename file as dashboard 408 | | timechart count by dashboard 409 | $dashboardAdoption_timepicker.earliest$ 410 | $dashboardAdoption_timepicker.latest$ 411 | 1 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | Top Users by Modifications 450 | 451 | 452 | index=_internal uri_path=/en-US/splunkd/__raw/servicesNS/*/*/data/ui/views/* method=POST 453 | | rename file as dashboard 454 | | chart count by user dashboard 455 | | addtotals fieldname=temp_sort 456 | | sort - temp_sort 457 | | fields - temp_sort 458 | $dashboardAdoption_timepicker.earliest$ 459 | $dashboardAdoption_timepicker.latest$ 460 | 1 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 |
498 | --------------------------------------------------------------------------------