I have a requirement to check to see if our auditors have run specific dashboards every week. I would like to build a query that reports if they haven't checked their areas of responsibility.
I've already been able to extract a search that extracts applications, users, times and dashboards accessed by end users. I've created regex to already extract 2 values 1) dashDashboards that is the dashboard accessed and 2) dashApplication that names the application being used. The graphic below shows what it looks like and here is the query to produce that.
index=_internal sourcetype=splunkd_access dashDashboard!=_admin | eval Date=strftime(_time,"%m/%d/%Y")|eval Time=strftime(_time,"%H:%M") | eval dayOfWeek=strftime(_time,"%A")| table Date Time dayOfWeek user dashApplication dashDashboard | rename dayOfWeek AS "Day of Week", AppUsed AS "Application", dashDashboard AS Dashboard, dashApplication AS Application,user AS User
Now I would like to build a lookup table to use as a source with user names and dashboards they are required to check. The idea here is to create a search that finds what dashboards they haven't checked. A way to 'audit the auditors'
auditor,dashboard
rich,home_status
rich,mail_delivery
veronica,temperature_sensors
The following query does show if they have checked one of their areas but i would ideally like to check (and for every week woudl be ideal) if they haven't done their weekly job.
index=_internal sourcetype=splunkd_access dashDashboard!=_admin | eval Date=strftime(_time,"%m/%d/%Y")|eval Time=strftime(_time,"%H:%M") | eval dayOfWeek=strftime(_time,"%A")| join user,dashDashboard [|inputlookup auditor.list | rename dashboard AS dashDashboard, auditor AS user]|table Date Time dayOfWeek user dashApplication dashDashboard | rename dayOfWeek AS "Day of Week", AppUsed AS "Application", dashDashboard AS Dashboard, dashApplication AS Application,user AS User
How can i identify given a lookup source if they haven't done their responsibilities? Or if you have a better idea of how to accomplish this please let me know.
![alt text][1]
Thanks.
[1]: /storage/temp/159258-auditauditors.jpg
↧