Dashboards & Visualizations

How can I determine who modified a dashboard?

a212830
Champion

Hi,

I have a customer who needs to know who/when a dashboard was last modified. Is this possible?

Tags (3)

jaxjohnny2000
Builder
0 Karma

adm_rashi
New Member

How can I get to know if any of my scheduled alerts have been modified, deleted or anyone created a new alert?

i tried the above query and got the results as well for index=_internal but not for index=_audit.

Also my main concern is about the activity performed on existing Alerts.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Thank you, adm_rashi - I see you've also created your own question out of this. That's much more effective. 🙂

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I think is more in line with what you're looking for. It shows who updated or deleted any knowledge object. It breaks out the different portions so you can throw it into a form dashboard for filtering.

index=_internal sourcetype=splunkd_access
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- )
( uri_path=/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!=/servicesNS/*/mobile_access* )
 | replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
 | where mvcount( split( uri_path , "/" ) ) > 6
 | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
 | rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)"
 | eval object_name = urldecode( object_name )
 | table _time, user, object_name, object_type, activity

woodcock
Esteemed Legend

Take a look at this answer (question) and it should give you a good start:

http://answers.splunk.com/answers/316312/ever-wonder-which-dashboards-are-being-used-and-wh.html

0 Karma

asimagu
Builder

you could check

index=_audit sourcetype=audittrail

then, take a look at the actions field. It may be there what you are trying to find

0 Karma

jonaclough
Path Finder

I tried the suggestions above. The SPL against the _internal index doesn't show modifications to dashboards. The SPL against the _audit index does but it shows a numeric ID for the user which I believe to be unrelated to the actual user. I say this as because this same ID is responsible for 99% of action=modify events across the platform. So I would presume it to be the splunk system user.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...