All Apps and Add-ons

Splunk for Active Directory scheduled chg_users report with options selected

Path Finder

I'm looking to generate a daily report of any changes made to specific users. The obvious dashboard to use seems to be the 'Change Management -> User Record Changes' (chg_users).

This works for searching manually for changes to a single specific user, but I don't see a way to schedule PDF delivery of the dashboard with any of the search options already selected. If you visit the dashboard and choose 'Actions -> Schedule PDF Delivery', it just runs the dashboard with the default options of * for the user. This obviously produces a report of changes for all users, not just the one(s) I want to monitor specifically.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

View solution in original post

Splunk Employee
Splunk Employee

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

View solution in original post

Path Finder

I'll award this as an answer because it is a successful workaround.

However, I feel this should be part of the basic GUI functionality -- end users should not have to learn to write/manipulate Splunk searches to create custom dashboards to be able to schedule a pre-build dashboard for delivery with their specific options selected.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!