https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/513815#M4411 <P>You may want to look into this, as it looks somewhat similar to your requirements. Mind you, there are going to be a lot of false positives.</P><P><A href="https://community.splunk.com/t5/Monitoring-Splunk/A-way-to-audit-changes-to-savedsearches-conf/td-p/511888" target="_self">How to audit changes in savedsearches.conf</A>&nbsp;</P><P>Hope this helps,</P><P>S</P><P>&nbsp;</P> Fri, 14 Aug 2020 10:25:51 GMT shivanshu1593 2020-08-14T10:25:51Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/513267#M4401 <P>Hi Splunkers,</P><P>we need to monitor who, when, where and what was changed in macros, searches and so on.</P><P>Internal index can answer to "who, when, where" (audit POST requests).&nbsp;</P><P>Which is the right and preferred way to answer to "what" exactly was added or removed to/from the knowledge object during the change operation.</P><P>P.S. We have to have this information in Splunk and correlate with _internal audit</P> Mon, 10 Aug 2020 08:48:28 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/513267#M4401 evelenke 2020-08-10T08:48:28Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/513815#M4411 <P>You may want to look into this, as it looks somewhat similar to your requirements. Mind you, there are going to be a lot of false positives.</P><P><A href="https://community.splunk.com/t5/Monitoring-Splunk/A-way-to-audit-changes-to-savedsearches-conf/td-p/511888" target="_self">How to audit changes in savedsearches.conf</A>&nbsp;</P><P>Hope this helps,</P><P>S</P><P>&nbsp;</P> Fri, 14 Aug 2020 10:25:51 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/513815#M4411 shivanshu1593 2020-08-14T10:25:51Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/514063#M4414 <P>Hi,</P><P>so you say "<SPAN>_audit index is your friend for this"</SPAN> , but in the answer you'd proposed me the very first sentence is "<SPAN>It's already been determined that alarms/reports modifications are not being audited in _audit and _internal indexes." . <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>Thanks anyway!</P> Fri, 14 Aug 2020 09:58:53 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/514063#M4414 evelenke 2020-08-14T09:58:53Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/514064#M4415 <P>Ah my bad. First started&nbsp; with the audit index, then remembered that a thread is already there for the issue. Totally forgot to edit the post after pasting the link.</P><P>Thanks for pointing out, man <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Fri, 14 Aug 2020 10:25:02 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/514064#M4415 shivanshu1593 2020-08-14T10:25:02Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/516613#M4432 <P>Take a look at <A title="Better audit logs suggested in Ideas" href="https://ideas.splunk.com/ideas/E-I-49" target="_blank" rel="noopener">Splunk Ideas E-I-49</A>&nbsp; and upvote. I think that aligns with what you're looking for.&nbsp;</P> Fri, 28 Aug 2020 00:23:37 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-audit-changes-in-Splunk-objects-Git-or-else/m-p/516613#M4432 jcaceres 2020-08-28T00:23:37Z