My manager want me to show the admin activities of splunk .
Who and when they add data inputs , add user , Modify scheduled search , modified dashboard ....
I tried to search on the _audit index to find the answer , but the data is too noisy to do so... It recorded a lot of activities that we don't understand and we have not done.
For example :
There is a lot of edit_user action for "admin"
Yes, auditing Splunk is a challenge. However, if you think the audit log is noisy, you're not going to like this answer. The data you want is not in _audit, but in _internal. For example, this query will help you find out who deleted a dashboard.
index=_internal sourcetype=splunkd_ui_access method=DELETE views
| rex field=uri_path "\/[-\w]+\/\w+\/[_\w]+\/\w+\/(?<User>[^\/]+)\/(?<App>[^\/]+)\/data\/ui\/views\/(?<Dashboard>[^\?]+)"
| table _time App Dashboard User
--- If this reply helps you, an upvote would be appreciated.