Monitoring Splunk

How to check if any alert or dashboard have been changed/modified in splunk

JuhiSaxena
Explorer

I want to create and alert to report any alert or dashboard which have been edited and am using below splunk query to do so. However this is reporting few alerts which are simply opened and no changes were made to them. Please help.

index=_internal sourcetype=splunkd_ui_access *  method=POST NOT "/search/jobs" "/saved/searches" OR "data/ui/views" 
| eval Time=strftime(_time, "%m/%d %H:%M:%S")   
|  table Time user uri   
| rex field=uri "(\/[^\/]+){5}\/(?[^\/]+)\/\w+(\/ui)*\/(?[^\/]+)\/(?

Marked and formatted the code in the query for you with the 101 010 button. The code is missing the end of the regex, and anything else after that.

Tags (2)
0 Karma

jkat54
SplunkTrust
SplunkTrust

You should be using the audit index in my opinion. Without that, you won’t be able to tell if someone modifies .conf files such as savedsearches.conf via the command line, etc.

0 Karma

Sukisen1981
Champion
0 Karma

JuhiSaxena
Explorer

Thanks for your response. However i have gone through the links you provided. The Splunk query i shared is working perfectly fine, but is reporting some extra entries which is when a user opens an alert [which shouldn't be reported ideally]. I need to know what is wrong with my existing query which may be causing this.

I only need the list of objects which are actually edited.

0 Karma

rvany
Communicator

The query you noted is syntactically incorrect (some parts are missing probably during copy&paste) - please provide the complete statement.

Additionally: maybe your search statement is not exactly what you want. Please check your NOT and OR parts of the first line. Are they the way you expect?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...