Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to determine who delete an alert/report?

vnguyen46
Contributor
‎05-20-2019 08:38 AM

Hello - I have created, saved and scheduled a report running on a daily basis. In one day, the report was deleted from Splunk. Is there a way I can find out who deleted that report and when? I guess this is also applied to the alert.

Thanks,

Tags (3)
0 Karma
Reply

vnguyen46
Contributor
‎05-20-2019 12:19 PM

I tried all the suggestions, but still not seeing the records of when the report was deleted and by whom. The report was deleted after 8:00AM 05/15/19 and before 8:00AM 05/16/19.
I already opened a case with Splunk with diag file. Hope they find something.
Thanks,

0 Karma
Reply

Vijeta
Influencer
‎05-20-2019 11:15 AM

If its a saved search /report you can try this, the user field will give you who deleted the report.

index=_internal method=DELETE sourcetype=splunkd* source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" uri=*saved/searches*
0 Karma
Reply

PowerPacked
Builder
‎05-20-2019 10:58 AM

Hi

take a look at below pic

Replace alert_123 with your alert name.

alt text

Thanks

Preview file
226 KB
0 Karma
Reply

vnguyen46
Contributor
‎05-20-2019 09:23 AM

The report was deleted from Splunk web GUI. I tried both _internal and _audit indexes, but didn't gain much info about the incident.
Thanks,

0 Karma
Reply

koshyk
Super Champion
‎05-20-2019 08:47 AM

  1. if it is done via Splunk GUI or REST, then it will be audited at :

    index="_internal" method=DELETE sourcetype=splunkd_ui_access

2.If it was amended etc, you can see in index=_audit
3. if it is done via backend, hopefully you will have Operating System auditing? Like auditd or Windows Security Log?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...