Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

alert on deleted data

troywollenslege
Path Finder
‎03-20-2012 01:39 PM

Trying to look through the _internal logs in realtime to fire an alert if anyone tries to delete files with | delete

All searches I try will find the search itself (thus always firing).

Thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

View solution in original post

Reply
Solved! Jump to solution

awjohnson
Explorer
‎03-25-2014 10:38 AM

This is the search I'm running to monitor for delete attempts:

index=_audit sourcetype=audittrail "|" "delete" NOT "search='search index=_audit"

I'm searching the index of _audit and the sourcetype of auditrail for | and delete. Then so that my searches for delete activity do not generate alerts, I exclude searches of searches that include delete.

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 11:09 AM

Thx. I was using _internal, audit seems to work better;

index=_audit "action=search" search="*delete'" | table user info search
This is the search that I am going to run, seems to work with the caviot that there may be some false positives, which I am ok with.

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-20-2012 10:17 PM

In 4.3 -

You can do the realtime alert on a rolling window, which gives you the opportunity to set a custom condition. In the custom condition, test for _time != now()

"now" is the time that the search started...

I am not sure that this will work, but I think it should...

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 09:22 AM

Maybe wasn't clear. I can do the search the problem is that when I search for someone deleting data, the search itself is found. So i woudl get alerted every time.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...