Splunk query to check which user disabled/enabled alert.
See what is in the logs like this:
index=_audit "disabled alert name here"
not sure @woodcock if the new version updated the audit log formats/my old 7.3 does not have yet your search query format,.. but i created a test alert and disabled and queried the audit index, but no match. something fishy.
We have a report built in splunk that runs whenever any alert is disabled by a user in splunk. I want to find the user who has disabled the alert.Is this doable?
Care to elaborate?