All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk for Active Directory scheduled chg_users report with options selected

dbylertbg
Path Finder
‎12-26-2013 08:00 AM

I'm looking to generate a daily report of any changes made to specific users. The obvious dashboard to use seems to be the 'Change Management -> User Record Changes' (chg_users).

This works for searching manually for changes to a single specific user, but I don't see a way to schedule PDF delivery of the dashboard with any of the search options already selected. If you visit the dashboard and choose 'Actions -> Schedule PDF Delivery', it just runs the dashboard with the default options of * for the user. This obviously produces a report of changes for all users, not just the one(s) I want to monitor specifically.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎12-27-2013 08:36 AM

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

View solution in original post

Reply
Solved! Jump to solution
Solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎12-27-2013 08:36 AM

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

Reply
Solved! Jump to solution

dbylertbg
Path Finder
‎01-31-2014 11:33 AM

I'll award this as an answer because it is a successful workaround.

However, I feel this should be part of the basic GUI functionality -- end users should not have to learn to write/manipulate Splunk searches to create custom dashboards to be able to schedule a pre-build dashboard for delivery with their specific options selected.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...