Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to check if any alert or dashboard have been changed/modified in splunk

JuhiSaxena
Explorer
‎06-23-2018 01:19 AM

I want to create and alert to report any alert or dashboard which have been edited and am using below splunk query to do so. However this is reporting few alerts which are simply opened and no changes were made to them. Please help.

index=_internal sourcetype=splunkd_ui_access *  method=POST NOT "/search/jobs" "/saved/searches" OR "data/ui/views" 
| eval Time=strftime(_time, "%m/%d %H:%M:%S")   
|  table Time user uri   
| rex field=uri "(\/[^\/]+){5}\/(?[^\/]+)\/\w+(\/ui)*\/(?[^\/]+)\/(?

Marked and formatted the code in the query for you with the 101 010 button. The code is missing the end of the regex, and anything else after that.

Tags (2)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 12:40 PM

You should be using the audit index in my opinion. Without that, you won’t be able to tell if someone modifies .conf files such as savedsearches.conf via the command line, etc.

0 Karma
Reply

Sukisen1981
Champion
‎06-23-2018 01:49 AM

Hi - Here are some interesting threads on this, very similar to what you want.
Check them out
https://answers.splunk.com/answers/543196/how-can-i-check-to-see-if-a-splunk-dashboard-has-b.html
https://answers.splunk.com/answers/317274/how-can-i-determine-who-modified-a-dashboard.html

0 Karma
Reply

JuhiSaxena
Explorer
‎06-24-2018 02:11 AM

Thanks for your response. However i have gone through the links you provided. The Splunk query i shared is working perfectly fine, but is reporting some extra entries which is when a user opens an alert [which shouldn't be reported ideally]. I need to know what is wrong with my existing query which may be causing this.

I only need the list of objects which are actually edited.

0 Karma
Reply

rvany
Communicator
‎06-26-2018 02:32 AM

The query you noted is syntactically incorrect (some parts are missing probably during copy&paste) - please provide the complete statement.

Additionally: maybe your search statement is not exactly what you want. Please check your NOT and OR parts of the first line. Are they the way you expect?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...