I have a user who did something that is now prompting for a splunk restart.
Is there any way to determine what config change they made?
I've looked through the _internal index but with no luck.
Thanks!
The _audit
index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc
). Look for action=update
. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.
The _audit
index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc
). Look for action=update
. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.
Thanks! It was most likely going to a page where a change may have happend.