Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check if any alert or dashboard have been changed/modified in splunk

JuhiSaxena
Explorer
‎06-23-2018 01:19 AM

I want to create and alert to report any alert or dashboard which have been edited and am using below splunk query to do so. However this is reporting few alerts which are simply opened and no changes were made to them. Please help.

index=_internal sourcetype=splunkd_ui_access *  method=POST NOT "/search/jobs" "/saved/searches" OR "data/ui/views" 
| eval Time=strftime(_time, "%m/%d %H:%M:%S")   
|  table Time user uri   
| rex field=uri "(\/[^\/]+){5}\/(?[^\/]+)\/\w+(\/ui)*\/(?[^\/]+)\/(?

Marked and formatted the code in the query for you with the 101 010 button. The code is missing the end of the regex, and anything else after that.

Tags (2)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 12:40 PM

You should be using the audit index in my opinion. Without that, you won’t be able to tell if someone modifies .conf files such as savedsearches.conf via the command line, etc.

0 Karma
Reply

Sukisen1981
Champion
‎06-23-2018 01:49 AM

Hi - Here are some interesting threads on this, very similar to what you want.
Check them out
https://answers.splunk.com/answers/543196/how-can-i-check-to-see-if-a-splunk-dashboard-has-b.html
https://answers.splunk.com/answers/317274/how-can-i-determine-who-modified-a-dashboard.html

0 Karma
Reply

JuhiSaxena
Explorer
‎06-24-2018 02:11 AM

Thanks for your response. However i have gone through the links you provided. The Splunk query i shared is working perfectly fine, but is reporting some extra entries which is when a user opens an alert [which shouldn't be reported ideally]. I need to know what is wrong with my existing query which may be causing this.

I only need the list of objects which are actually edited.

0 Karma
Reply

rvany
Communicator
‎06-26-2018 02:32 AM

The query you noted is syntactically incorrect (some parts are missing probably during copy&paste) - please provide the complete statement.

Additionally: maybe your search statement is not exactly what you want. Please check your NOT and OR parts of the first line. Are they the way you expect?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...