Some of my team mates modified my existing alert and i want to know the query modification which he did. I am able to find who and when he modified the alert but not able to find compare the old and new search query.
Is there any way to find the original query and modified query to compare?
Hello @Allampally , if your search was running on a schedule and you have access to _audit log , please try below query if that works for you. Please select the timeframe so that it covers the time window the alert was updated.
index=_audit action=search savedsearch_name=<paste your alert name here> search_id="'scheduler__*" |dedup search
| stats earliest(search) as old_search latest(search) as current_search
| where old_search!=current_search
Hi @Allampally , may be you can try below query, if you are having splunkd_remote_searches logs in _internal index
index=_internal sourcetype=splunkd_remote_searches savedsearch_name=<your search name>
|stats latest(search) as new earliest(search) as old
Hi
here is instructions how you could avoid it next time. Also to whom you could blame 😉
r. Ismo
Hi @Allampally ,
As mentioned in the post, there is no way to track the changes in the Splunk and you need to use git or bitbucket to track the changes, however, you can try this below query.
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search
This query will show the searches ran by the user previously, you can tune the query and see your search based on your last successful ran and compare the current query.
I got the answer from below post
https://community.splunk.com/t5/Splunk-Search/Why-history-command-only-shows-my-searches-not-searche...