Hello,
There are few ways to suppress data in Splunk, like | delete
command from search menu or splunk clean eventdata
from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.
Thanks for the help.
You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean
command. Then it's a simple matter to search command histories for the command.
A clarification: splunk clean eventdata
does not suppress data, it erases it.
You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean
command. Then it's a simple matter to search command histories for the command.
A clarification: splunk clean eventdata
does not suppress data, it erases it.
Thanks for the help!