Hi,
I am working with the app lookup File Editor and When I search in the log, I only find the following
Who update the file ? or When update the file?
I need to see which field to update.
It is possible?
Regards
I don't believe Splunk audit logs will audit the changes to that level.
The only way I can think of determining the details would be to compare the lookup file contents by comparing the backup versions.
A log entry should show that a backup was created. You could correlate the backup file version to the change (search for "A backup of the lookup file was created"). However, I'm don't know of a way to access the backup lookup file via a Search.