Dashboards & Visualizations
Highlighted

How can I determine who modified a dashboard?

Champion

Hi,

I have a customer who needs to know who/when a dashboard was last modified. Is this possible?

Tags (3)
Highlighted

Re: How can I determine who modified a dashboard?

Builder

you could check

index=_audit sourcetype=audittrail

then, take a look at the actions field. It may be there what you are trying to find

0 Karma
Highlighted

Re: How can I determine who modified a dashboard?

Esteemed Legend

Take a look at this answer (question) and it should give you a good start:

http://answers.splunk.com/answers/316312/ever-wonder-which-dashboards-are-being-used-and-wh.html

0 Karma
Highlighted

Re: How can I determine who modified a dashboard?

Ultra Champion

I think is more in line with what you're looking for. It shows who updated or deleted any knowledge object. It breaks out the different portions so you can throw it into a form dashboard for filtering.

index=_internal sourcetype=splunkd_access
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- )
( uri_path=/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!=/servicesNS/*/mobile_access* )
 | replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
 | where mvcount( split( uri_path , "/" ) ) > 6
 | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
 | rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)"
 | eval object_name = urldecode( object_name )
 | table _time, user, object_name, object_type, activity
Highlighted

Re: How can I determine who modified a dashboard?

New Member

How can I get to know if any of my scheduled alerts have been modified, deleted or anyone created a new alert?

i tried the above query and got the results as well for index=internal but not for index=audit.

Also my main concern is about the activity performed on existing Alerts.

0 Karma
Highlighted

Re: How can I determine who modified a dashboard?

SplunkTrust
SplunkTrust

Thank you, adm_rashi - I see you've also created your own question out of this. That's much more effective. 🙂

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.