Does _audit keep track of alert's modifications?


Could it be? - there is no audit log (tied to a user) when an alert gets modified and saved? I really looked hard and I'm stuck trying to use Rest APIs and compare the rule before/after.

Labels (1)
0 Karma


Hi @danielbb,

There are some limited things you can use to track who and when an alert is modified, but tracking what was modified can be a bit tricky.  My friend @efavreau and I presented at last years .conf about how to track changes to your knowledge objects and how to export them from Splunk so you can do version controlling outside of splunk.  In that presentation we have a query that you can use to track who and when a change is made to an object here:

Lines 36-40 in that query won't work without you creating a lookup file of your objects that can be done with this but check out the readme here first.

If you want you can check out the slide deck and presentation itself here:

As for the what that was changed you may be able to find some information in the splunkd_conf sourcetype in the _internal index:

index=_internal sourcetype=splunkd_conf data.asset_uri=savedsearches data.optype_desc=WRITE_STANZA

The data.payload arrays will have the information that was changed and the data.asset_uri array will have the specific savedsearch/report/alert that was modified.

If this comment/answer was helpful, please up vote it. Thank you.
Tags (2)
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!