Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- What Changes are made on Alerts , Dashboard?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I find out when who and what changes are made to below list in Splunk
- Alerts/Saved Searches
-Dashboards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vn_g ,
For dashboard, the trail 3 is working perfectly, I have tested in my environment.
For Alert, I have modified your trail 3 query and getting the results correctly.
index=_internal sourcetype=splunkd_ui_access method=post saved/searches NOT StreamedSearch | table req_time,file,user | rename file as Alertname req_time as editTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vn_g , As per my knowledge, you can see when and who accessed the UI of Saved searches and dashboards API, however, we cannot see what is changed because Splunk is not maintaining any versions of these knowledge objects. You may need some additional apps to monitor the changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok Thankyou for confirming.
My required output :
1) TimeOfTheAction, DashboardName, UserWhoModifiedit
2) TimeOfTheAction, SearchName, UserWhoModifiedit
Trials 1(ForAlerts) : index=_internal sourcetype=splunkd_conf data.asset_uri{}=savedsearches "data.optype_desc"="*" | table _time data.optype_desc
Using the above I am not able to find the User who modified the saved search.
Trials 2 (For Dashboards) :index=_internal sourcetype=splunkd_ui_access method=post ui/views (edit OR editxml) | table req_time,file,user | rename file as dashboard req_time as editTime
Above doesn't give any results
Trial 3 ( For Dashboards) : index=_internal sourcetype=splunkd_ui_access method=post ui/views NOT StreamedSearch | table req_time,file,user | rename file as dashboard req_time as editTime
Is above correct one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vn_g ,
For dashboard, the trail 3 is working perfectly, I have tested in my environment.
For Alert, I have modified your trail 3 query and getting the results correctly.
index=_internal sourcetype=splunkd_ui_access method=post saved/searches NOT StreamedSearch | table req_time,file,user | rename file as Alertname req_time as editTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query : index=_internal sourcetype=splunkd_ui_access method=* ui/views NOT StreamedSearch
| table req_time,file,user,method
| rename file as dashboard req_time as editTime
| sort - editTime
Using the above query it is generating 2 events for each action.
Action : Create a new dashboard.
DashbordName Method
views GET
_new POST
Action : Delete the existing dashboard.
DashbordName Method
views GET
multidelte POST
My requirement is i have to find out the Dashboard Name which is created or deleted
And also i have to get all the changes , updates , creation , detetion except GET method details.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
