Monitoring Splunk

How to audit the admin activities on Splunk ?



I have read the document, but the audit log of splunk seems very noisy....

My manager want me to show the admin activities of splunk .
For example:
Who and when they add data inputs , add user , Modify scheduled search , modified dashboard ....

I tried to search on the _audit index to find the answer , but the data is too noisy to do so... It recorded a lot of activities that we don't understand and we have not done.
For example :
There is a lot of edit_user action for "admin"

Audit:[timestamp=07-18-2019 18:39:34.616, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

But we haven't edited the admin account during these time !?

It is weird that we use Splunk to audit other system, but it is hard to audit the activities on Splunk itself....

Labels (1)
Tags (2)
0 Karma


Yes, auditing Splunk is a challenge. However, if you think the audit log is noisy, you're not going to like this answer. The data you want is not in _audit, but in _internal. For example, this query will help you find out who deleted a dashboard.

index=_internal sourcetype=splunkd_ui_access method=DELETE views 
| rex field=uri_path "\/[-\w]+\/\w+\/[_\w]+\/\w+\/(?<User>[^\/]+)\/(?<App>[^\/]+)\/data\/ui\/views\/(?<Dashboard>[^\?]+)" 
| table _time App Dashboard User
If this reply helps you, an upvote would be appreciated.
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!