Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

alert on deleted data

troywollenslege
Path Finder
‎03-20-2012 01:39 PM

Trying to look through the _internal logs in realtime to fire an alert if anyone tries to delete files with | delete

All searches I try will find the search itself (thus always firing).

Thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

View solution in original post

Reply
Solved! Jump to solution

awjohnson
Explorer
‎03-25-2014 10:38 AM

This is the search I'm running to monitor for delete attempts:

index=_audit sourcetype=audittrail "|" "delete" NOT "search='search index=_audit"

I'm searching the index of _audit and the sourcetype of auditrail for | and delete. Then so that my searches for delete activity do not generate alerts, I exclude searches of searches that include delete.

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 11:09 AM

Thx. I was using _internal, audit seems to work better;

index=_audit "action=search" search="*delete'" | table user info search
This is the search that I am going to run, seems to work with the caviot that there may be some false positives, which I am ok with.

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-20-2012 10:17 PM

In 4.3 -

You can do the realtime alert on a rolling window, which gives you the opportunity to set a custom condition. In the custom condition, test for _time != now()

"now" is the time that the search started...

I am not sure that this will work, but I think it should...

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 09:22 AM

Maybe wasn't clear. I can do the search the problem is that when I search for someone deleting data, the search itself is found. So i woudl get alerted every time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...