Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out when SavedSearches have been edited?

thommu
Engager
‎03-29-2018 08:36 AM

I have this requirement to check if saved searches have been edited.

I looked through _internal but only saw information about searches running under scheduler. It didn't display the query for me to check if it changed.

After looking through the forums, I found the REST command | rest /services/saved/searches
This displayed all the queries for each search, but It seems to show only the current query, rather than a history of changes.

Is this something Splunk logs within itself?

0 Karma
Reply

renatobamorim
Explorer
‎11-09-2018 11:17 AM

Another way is run this search

index=_internal sourcetype=splunkd_conf data.asset_uri{}=savedsearches

When any rule is changed the data.optype_desc field receive the WRITE_STANZA value.

Reply

p_gurav
Champion
‎03-30-2018 01:35 AM

Hi,

You can try this search, its for all changes, you can modify according to your requirements:

index=_internal sourcetype=splunkd_access
 ( method=POST OR method=DELETE )
 ( user!=sandy user!=splunk-system-user )
 ( uri_path=/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!=/servicesNS/*/mobile_access* )
  | replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
  | where mvcount( split( uri_path , "/" ) ) > 6
  | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
  | rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)"
  | eval object_name = urldecode( object_name )
  | table _time, user, object_name, object_type, activity
Reply

thommu
Engager
‎03-30-2018 10:14 AM

Awesome, this is perfect!

Any chance the _internals will tell me what those queries were at the time of the edit?

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...