https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489002#M194037 <P>It is unclear for me why there isn't any easy and comfortable way to search all the objects that have been changed on Splunk. </P> <P>It is very basic and this that admins need, in order to be in control over the environment.</P> <P>I have this query, that i find on an answer here, and added some changes: </P> <PRE><CODE>index=_internal (sourcetype=splunkd_ui_access OR sourcetype=splunkd_access) ( method=POST OR method=DELETE) ( user!=splunk-system-user user!=- ) ( uri_path=/servicesNS/* OR uri_path=/en-US/splunkd/__raw/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!="/servicesNS/*/mobile_access*" uri_path!="*/ui/prefs*" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/jobs/*/control" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/ui/ui-tour*") | replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path | replace "/en-US/splunkd/__raw*" with "*" in uri_path | where mvcount( split( uri_path , "/" ) ) &gt; 6 | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" ) | rex field=uri_path "/servicesNS(/[^\/]+){3}/(?&lt;object_type&gt;[^\/]+)/(?&lt;object_name&gt;[^\/]+)" | eval object_name = urldecode( object_name ) | convert ctime(_time) timeformat="%m/%d/%Y %H:%M:%S" | table _time, user, object_name, object_type, activity | dedup _time, user, object_name​ </CODE></PRE> <P>But it is not quite good, as there seem to be a lot of false positive stats. </P> <P>Can someone please help me accomplish this? </P> <P>*** I am not familiar with the fields of the internal logs and i couldn't find any description or details about it, so it can be useful too.</P> <P>Also, is there any difference in the logs between Splunk cloud and splunk enterprise ? </P> <P>Thanks ! </P> Mon, 23 Sep 2019 14:33:33 GMT astatrial 2019-09-23T14:33:33Z https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489002#M194037 <P>It is unclear for me why there isn't any easy and comfortable way to search all the objects that have been changed on Splunk. </P> <P>It is very basic and this that admins need, in order to be in control over the environment.</P> <P>I have this query, that i find on an answer here, and added some changes: </P> <PRE><CODE>index=_internal (sourcetype=splunkd_ui_access OR sourcetype=splunkd_access) ( method=POST OR method=DELETE) ( user!=splunk-system-user user!=- ) ( uri_path=/servicesNS/* OR uri_path=/en-US/splunkd/__raw/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!="/servicesNS/*/mobile_access*" uri_path!="*/ui/prefs*" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/jobs/*/control" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/ui/ui-tour*") | replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path | replace "/en-US/splunkd/__raw*" with "*" in uri_path | where mvcount( split( uri_path , "/" ) ) &gt; 6 | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" ) | rex field=uri_path "/servicesNS(/[^\/]+){3}/(?&lt;object_type&gt;[^\/]+)/(?&lt;object_name&gt;[^\/]+)" | eval object_name = urldecode( object_name ) | convert ctime(_time) timeformat="%m/%d/%Y %H:%M:%S" | table _time, user, object_name, object_type, activity | dedup _time, user, object_name​ </CODE></PRE> <P>But it is not quite good, as there seem to be a lot of false positive stats. </P> <P>Can someone please help me accomplish this? </P> <P>*** I am not familiar with the fields of the internal logs and i couldn't find any description or details about it, so it can be useful too.</P> <P>Also, is there any difference in the logs between Splunk cloud and splunk enterprise ? </P> <P>Thanks ! </P> Mon, 23 Sep 2019 14:33:33 GMT https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489002#M194037 astatrial 2019-09-23T14:33:33Z https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489003#M194038 <P>Hi @astatrial,</P> <P>Try this for a base search to get the list of actions for any changes, you can then filter on specific objects or actions :</P> <PRE><CODE>index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action </CODE></PRE> <P>As for "Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?" the answer is no. The internal log structure remains the same.</P> <P>Cheers,<BR /> David</P> Mon, 23 Sep 2019 14:39:36 GMT https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489003#M194038 DavidHourani 2019-09-23T14:39:36Z https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489004#M194039 <P>Hi David, <BR /> Thanks for your response.<BR /> I already tried using the _audit index but it seems to have a lot of irrelevant events too, and in addition it doesn't contain some actions (for example, i created a report and search for the event in _audit and it wasn't there by the name of the search). </P> <P>The actions that i am looking for are on objects like (reports, alerts, indexes, lookups, DM, correlation searches, sourcetypes, etc..)</P> Tue, 24 Sep 2019 06:54:32 GMT https://community.splunk.com/t5/Splunk-Search/Audit-splunk/m-p/489004#M194039 astatrial 2019-09-24T06:54:32Z