Alerting

Is there a way to audit when an alert is changed or disabled?

msmapper
Path Finder

Hi all,

I have been checking in index=_audit and I can't seem to find any sort of audit messaging about when an alerts gets disabled by a user or if the alert itself is changed. Does anyone know if this information can be found in Splunk?

Regards
Jen

valiquet
Contributor

Yes with REST. Use lookup to record the states.

|REST /services/saved/searches | fields title search disabled |lookup status.csv title AS title OUTPUT title AS lastTitle, search AS lastsearch, disabled AS lastdisabled | where search != lastsearch AND disabled !=lastdisabled disabled ==1 |outputlookup status.csv

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!