Getting Data In

Is there a way to monitor Splunk knowledge object permissions?


I am trying to generate report daily to monitor changes in knowledge objects (changes in permissions/new artifacts created/deleted/edited so on...) in Splunk. Is there any place they will be logged?

0 Karma

Esteemed Legend

You can get a list of all the KOs you care about like this:

|rest/services/configs/conf-macros | eval config="macros" | append [|rest/services/configs/conf-lookups | eval config="lookups"] | append ...

Then you can examine the permission fields you care about and export them to a file with outputlookup. Run this search every day and schedule another search to run just before you overwrite it, that checks the values now and look for differences.

0 Karma