topic Re: Splunk query to check which user disabled/enabled alert. in Splunk Search

How to create a search to check which user disabled/enabled alert?

AnmolKohli — Tue, 08 Mar 2022 17:37:28 GMT

Splunk query to check which user disabled/enabled alert.

Re: Splunk query to check which user disabled/enabled alert.

ccl0utier — Tue, 05 Feb 2019 15:14:04 GMT

Care to elaborate?

Re: Splunk query to check which user disabled/enabled alert.

AnmolKohli — Tue, 05 Feb 2019 15:44:01 GMT

We have a report built in splunk that runs whenever any alert is disabled by a user in splunk. I want to find the user who has disabled the alert.Is this doable?

Re: Splunk query to check which user disabled/enabled alert.

woodcock — Tue, 05 Feb 2019 16:02:19 GMT

See what is in the logs like this:

index=_audit "disabled alert name here"

Re: Splunk query to check which user disabled/enabled alert.

inventsekar — Fri, 23 Oct 2020 04:20:41 GMT

not sure @woodcock if the new version updated the audit log formats/my old 7.3 does not have yet your search query format,.. but i created a test alert and disabled and queried the audit index, but no match. something fishy.

Re: Splunk query to check which user disabled/enabled alert.

cmeisch — Tue, 08 Mar 2022 14:51:42 GMT

Has this been answered... I am looking for the same thing as to WHO has done what?

Re: Splunk query to check which user disabled/enabled alert.

SanjayReddy — Tue, 08 Mar 2022 15:31:53 GMT

Hi @cmeisch

you can with following query

index="_internal" sourcetype="splunkd_ui_access" file IN (disable,enable)

i tried enable/disbale one of saved it , enable disable logs are showing with username who did that action

Re: Splunk query to check which user disabled/enabled alert.

cmeisch — Tue, 08 Mar 2022 15:45:00 GMT

Thanks for the response. What I am trying to do is to see when a rule has been enabled\disabled and by who. I Your suggestion will give me who has disabled\enabled but I am trying to figure out what was enabled\disabled... BUT I am closer thanks to you!

Re: Splunk query to check which user disabled/enabled alert.

SanjayReddy — Tue, 08 Mar 2022 15:55:46 GMT

Hi @cmeisch

index="_internal" sourcetype="splunkd_ui_access" file IN (disable,enable)
| table _time user uri file

I am not good at regex😁, but hightlited the savedsearch name on which action done ,
after searches/ word is the report/alert name followed by action

---
If this reply helps you, an upvote/Karma would be appreciated.

Re: Splunk query to check which user disabled/enabled alert.

not_for_sale_b — Thu, 13 Jul 2023 15:36:13 GMT

Oh my god finally, someone found it. Here is a revised query that works a little better and shows the "files" (searches) enabled by a particular user and decodes them to make them easier to read.

index="_internal" sourcetype=splunkd_ui_access method=POST
| eval file=urldecode(file)
| stats values(file) by user