you should usee
in the field "file" there is the dashboard modified.
Following Giuseppe's lead, this table might be what you're looking for:
index=_internal sourcetype=splunkd_ui_access editxml method=post ui/views/ | table _time user clientip file useragent | rename file as dashboard
EDIT: gokaroid's search revealed the 'file' field, removed my rex
FINAL EDIT, bringing in gokaroid's additions and edit type: (I hope)
index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/ | rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)" | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*" | table _time user clientip sessionId edit_type file useragent | rename file as dashboard
In case the xml was not edited, as edit can happen via edit panels/ui too, so this might also work:
index=_internal sourcetype=splunkd_ui_access method=post edit ui/views | rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*" | table user, useragent, req_time, file, sessionId | rename file as dashboard req_time as editTime
Can we perform these activity as power user. As I tried to search with index=_internal, but unable to get any event. So just wanted to check, what kind of extra permission needed.
You can check what role you have and get the
_internal index search ability assigned to it. Or if admin can edit the power role and assign
_internal index added in roles section. To achieve it go to
Go to section which has heading
Indexes and if the role is
power it should have
All non-internal indexes currently. Get the
_internal index added to this list.