Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare the old and new query of the alert after a modification?

Allampally
Path Finder
‎08-19-2020 01:47 AM

Some of my team mates modified my existing alert and i want to know the query modification which he did. I am able to find who and when he modified the alert but not able to find compare the old and new search query. 

Is there any way to find the original query and modified query to compare?

Labels (1)
Labels
0 Karma
Reply

Nisha18789
Builder
‎09-01-2020 06:02 AM

Hello @Allampally , if your search was running on a schedule and you have access to _audit log , please try below query if that works for you. Please select the timeframe so that it covers the time window the alert was updated.

index=_audit action=search savedsearch_name=<paste your alert name here> search_id="'scheduler__*" |dedup search
| stats earliest(search) as old_search latest(search) as current_search
| where old_search!=current_search

0 Karma
Reply

Nisha18789
Builder
‎08-19-2020 07:51 AM

Hi @Allampally , may be you can try below query, if you are having splunkd_remote_searches logs in _internal index

index=_internal sourcetype=splunkd_remote_searches savedsearch_name=<your search name> 

|stats latest(search) as new earliest(search) as old 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-19-2020 09:18 AM

Hi

here is instructions  how you could avoid it next time. Also to whom you could blame 😉

https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-list-all-the-knowledge-objects-that-us...

r. Ismo

0 Karma
Reply

impurush
Contributor
‎08-19-2020 06:45 AM

Hi @Allampally ,
As mentioned in the post, there is no way to track the changes in the Splunk and you need to use git or bitbucket to track the changes, however, you can try this below query.

 

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search

 

This query will show the searches ran by the user previously, you can tune the query and see your search based on your last successful ran and compare the current query.

I got the answer from below post
https://community.splunk.com/t5/Splunk-Search/Why-history-command-only-shows-my-searches-not-searche...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2020 05:50 AM
Splunk does not log those kinds of changes. Until it does, use a source management system (like git) to keep track of changes.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...