Does _audit keep track of alert's modifications?


Could it be? - there is no audit log (tied to a user) when an alert gets modified and saved? I really looked hard and I'm stuck trying to use Rest APIs and compare the rule before/after.

Labels (1)
0 Karma


Hi @danielbb,

There are some limited things you can use to track who and when an alert is modified, but tracking what was modified can be a bit tricky.  My friend @efavreau and I presented at last years .conf about how to track changes to your knowledge objects and how to export them from Splunk so you can do version controlling outside of splunk.  In that presentation we have a query that you can use to track who and when a change is made to an object here:

Lines 36-40 in that query won't work without you creating a lookup file of your objects that can be done with this but check out the readme here first.

If you want you can check out the slide deck and presentation itself here:

As for the what that was changed you may be able to find some information in the splunkd_conf sourcetype in the _internal index:

index=_internal sourcetype=splunkd_conf data.asset_uri=savedsearches data.optype_desc=WRITE_STANZA

The data.payload arrays will have the information that was changed and the data.asset_uri array will have the specific savedsearch/report/alert that was modified.

If this comment/answer was helpful, please up vote it. Thank you.
Tags (2)
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...