Re: How to determine who delete an alert/report?

vnguyen46 · ‎05-20-2019

Hello - I have created, saved and scheduled a report running on a daily basis. In one day, the report was deleted from Splunk. Is there a way I can find out who deleted that report and when? I guess this is also applied to the alert.

Thanks,

vnguyen46 · ‎05-20-2019

I tried all the suggestions, but still not seeing the records of when the report was deleted and by whom. The report was deleted after 8:00AM 05/15/19 and before 8:00AM 05/16/19.
I already opened a case with Splunk with diag file. Hope they find something.
Thanks,

Vijeta · ‎05-20-2019

If its a saved search /report you can try this, the user field will give you who deleted the report.

index=_internal method=DELETE sourcetype=splunkd* source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" uri=*saved/searches*

PowerPacked · ‎05-20-2019

Hi

take a look at below pic

Replace alert_123 with your alert name.

Thanks

vnguyen46 · ‎05-20-2019

The report was deleted from Splunk web GUI. I tried both _internal and _audit indexes, but didn't gain much info about the incident.
Thanks,

koshyk · ‎05-20-2019

if it is done via Splunk GUI or REST, then it will be audited at :

index="_internal" method=DELETE sourcetype=splunkd_ui_access

2.If it was amended etc, you can see in index=_audit
3. if it is done via backend, hopefully you will have Operating System auditing? Like auditd or Windows Security Log?

How to determine who delete an alert/report?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!