topic What Changes are made on Alerts , Dashboard? in Dashboards & Visualizations

What Changes are made on Alerts , Dashboard?

vn_g — Wed, 10 Mar 2021 11:28:27 GMT

How can I find out when who and what changes are made to below list in Splunk

- Alerts/Saved Searches

-Dashboards

Re: What Changes are made on Alerts , Dashboard?

impurush — Wed, 10 Mar 2021 15:18:29 GMT

Hi @vn_g , As per my knowledge, you can see when and who accessed the UI of Saved searches and dashboards API, however, we cannot see what is changed because Splunk is not maintaining any versions of these knowledge objects. You may need some additional apps to monitor the changes.

Re: What Changes are made on Alerts , Dashboard?

vn_g — Thu, 11 Mar 2021 08:22:49 GMT

ok Thankyou for confirming.

My required output :

1) TimeOfTheAction, DashboardName, UserWhoModifiedit

2) TimeOfTheAction, SearchName, UserWhoModifiedit

Trials 1(ForAlerts) : index=_internal sourcetype=splunkd_conf data.asset_uri{}=savedsearches "data.optype_desc"="*" | table _time data.optype_desc

Using the above I am not able to find the User who modified the saved search.

Trials 2 (For Dashboards) :index=_internal sourcetype=splunkd_ui_access method=post ui/views (edit OR editxml) | table req_time,file,user | rename file as dashboard req_time as editTime

Above doesn't give any results

Trial 3 ( For Dashboards) : index=_internal sourcetype=splunkd_ui_access method=post ui/views NOT StreamedSearch | table req_time,file,user | rename file as dashboard req_time as editTime

Is above correct one?

Re: What Changes are made on Alerts , Dashboard?

impurush — Thu, 11 Mar 2021 15:16:06 GMT

Hi @vn_g ,
For dashboard, the trail 3 is working perfectly, I have tested in my environment.

For Alert, I have modified your trail 3 query and getting the results correctly.

index=_internal sourcetype=splunkd_ui_access method=post saved/searches NOT StreamedSearch | table req_time,file,user | rename file as Alertname req_time as editTime

Re: What Changes are made on Alerts , Dashboard?

vn_g — Fri, 12 Mar 2021 07:29:51 GMT

Query : index=_internal sourcetype=splunkd_ui_access method=* ui/views NOT StreamedSearch
| table req_time,file,user,method
| rename file as dashboard req_time as editTime
| sort - editTime

Using the above query it is generating 2 events for each action.

Action : Create a new dashboard.

DashbordName Method
views GET
_new POST

Action : Delete the existing dashboard.
DashbordName Method
views GET
multidelte POST

My requirement is i have to find out the Dashboard Name which is created or deleted
And also i have to get all the changes , updates , creation , detetion except GET method details.