All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for Active Directory scheduled chg_users report with options selected

dbylertbg
Path Finder
‎12-26-2013 08:00 AM

I'm looking to generate a daily report of any changes made to specific users. The obvious dashboard to use seems to be the 'Change Management -> User Record Changes' (chg_users).

This works for searching manually for changes to a single specific user, but I don't see a way to schedule PDF delivery of the dashboard with any of the search options already selected. If you visit the dashboard and choose 'Actions -> Schedule PDF Delivery', it just runs the dashboard with the default options of * for the user. This obviously produces a report of changes for all users, not just the one(s) I want to monitor specifically.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎12-27-2013 08:36 AM

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

View solution in original post

Reply
Solved! Jump to solution
Solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎12-27-2013 08:36 AM

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

Reply
Solved! Jump to solution

dbylertbg
Path Finder
‎01-31-2014 11:33 AM

I'll award this as an answer because it is a successful workaround.

However, I feel this should be part of the basic GUI functionality -- end users should not have to learn to write/manipulate Splunk searches to create custom dashboards to be able to schedule a pre-build dashboard for delivery with their specific options selected.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...