https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/m-p/424781#M7408 <P>Yes with REST. Use lookup to record the states.</P> <P>|REST /services/saved/searches | fields title search disabled |lookup status.csv title AS title OUTPUT title AS lastTitle, search AS lastsearch, disabled AS lastdisabled | where search != lastsearch AND disabled !=lastdisabled disabled ==1 |outputlookup status.csv</P> Sun, 28 Oct 2018 11:46:23 GMT valiquet 2018-10-28T11:46:23Z https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/m-p/424780#M7407 <P>Hi all,</P> <P>I have been checking in index=_audit and I can't seem to find any sort of audit messaging about when an alerts gets disabled by a user or if the alert itself is changed. Does anyone know if this information can be found in Splunk?</P> <P>Regards<BR /> Jen</P> Fri, 12 Oct 2018 18:08:49 GMT https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/m-p/424780#M7407 msmapper 2018-10-12T18:08:49Z https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/m-p/424781#M7408 <P>Yes with REST. Use lookup to record the states.</P> <P>|REST /services/saved/searches | fields title search disabled |lookup status.csv title AS title OUTPUT title AS lastTitle, search AS lastsearch, disabled AS lastdisabled | where search != lastsearch AND disabled !=lastdisabled disabled ==1 |outputlookup status.csv</P> Sun, 28 Oct 2018 11:46:23 GMT https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/m-p/424781#M7408 valiquet 2018-10-28T11:46:23Z