we need to monitor who, when, where and what was changed in macros, searches and so on.
Internal index can answer to "who, when, where" (audit POST requests).
Which is the right and preferred way to answer to "what" exactly was added or removed to/from the knowledge object during the change operation.
P.S. We have to have this information in Splunk and correlate with _internal audit
You may want to look into this, as it looks somewhat similar to your requirements. Mind you, there are going to be a lot of false positives.
Hope this helps,
so you say "_audit index is your friend for this" , but in the answer you'd proposed me the very first sentence is "It's already been determined that alarms/reports modifications are not being audited in _audit and _internal indexes." . 🙂
Ah my bad. First started with the audit index, then remembered that a thread is already there for the issue. Totally forgot to edit the post after pasting the link.
Thanks for pointing out, man 😄