Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.

Rocky31
Path Finder
‎12-28-2016 01:18 PM

we have like couple of admins, myself power, i want to create a alert any one of them made any changes. please share some commands, instead of links and docs.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎12-28-2016 02:37 PM

Since the definition of anyone made any changes is vague however general changing actions shall include create, edit, change, delete keywords. The way to find these keywords for users can be done as follows:

index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action

There might be some other keywords like embed, restart, update etc. which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin user.

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎12-28-2016 02:37 PM

Since the definition of anyone made any changes is vague however general changing actions shall include create, edit, change, delete keywords. The way to find these keywords for users can be done as follows:

index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action

There might be some other keywords like embed, restart, update etc. which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin user.

Reply
Solved! Jump to solution

Rocky31
Path Finder
‎12-28-2016 02:54 PM

Thanks for you response buddy, can i create an alert for this command. every time they made change, alert comes up. do i need to change in command. Thanks.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎12-28-2016 11:41 PM 
index=_audit (action=*edit* OR action=*create* OR action=*delete* OR action=*change* OR action=*embed* OR action=*restart* OR action=*update*) user=admin| stats count by user, action

You have to have admin rights to search index=_audit. If you do, then above command can be saved as an alert.

Reply
Solved! Jump to solution

Rocky31
Path Finder
‎01-02-2017 06:09 PM

I really appreciate for you concern, i have question. i created alert using above logic, but here i want alert with information with who did trigger and what he trigger all information in email. can you please help me out of this.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-06-2017 08:13 AM

When you run this search, you have an option of Save As Alert. In the Alert Trigger Actions there is an option of Add Action > Send Email > When Triggered > Include hich can be used to send the results as attachments or inline as table.

Reply
Solved! Jump to solution

chandrasekharko
Path Finder
‎04-08-2019 08:46 AM

I created an alert and deleted an alert to try to see if the above search triggers an event. I do get results with the above query. But, not useful information like admin created an alert or deleted an alert and the alert name. Is there some query I am looking for. Is it possible on the first hand?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...