Hi all,
I have been checking in index=_audit and I can't seem to find any sort of audit messaging about when an alerts gets disabled by a user or if the alert itself is changed. Does anyone know if this information can be found in Splunk?
Regards
Jen
Yes with REST. Use lookup to record the states.
|REST /services/saved/searches | fields title search disabled |lookup status.csv title AS title OUTPUT title AS lastTitle, search AS lastsearch, disabled AS lastdisabled | where search != lastsearch AND disabled !=lastdisabled disabled ==1 |outputlookup status.csv