All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for Active Directory scheduled chg_users report with options selected

dbylertbg
Path Finder
‎12-26-2013 08:00 AM

I'm looking to generate a daily report of any changes made to specific users. The obvious dashboard to use seems to be the 'Change Management -> User Record Changes' (chg_users).

This works for searching manually for changes to a single specific user, but I don't see a way to schedule PDF delivery of the dashboard with any of the search options already selected. If you visit the dashboard and choose 'Actions -> Schedule PDF Delivery', it just runs the dashboard with the default options of * for the user. This obviously produces a report of changes for all users, not just the one(s) I want to monitor specifically.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎12-27-2013 08:36 AM

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

View solution in original post

Reply
Solved! Jump to solution
Solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎12-27-2013 08:36 AM

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

Reply
Solved! Jump to solution

dbylertbg
Path Finder
‎01-31-2014 11:33 AM

I'll award this as an answer because it is a successful workaround.

However, I feel this should be part of the basic GUI functionality -- end users should not have to learn to write/manipulate Splunk searches to create custom dashboards to be able to schedule a pre-build dashboard for delivery with their specific options selected.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...