Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to retrace when and what was modified in a saved search?

chris
Motivator
‎08-27-2010 12:07 PM

Hi

I would like to see when saved searches are modified and what their new values are.

I read that the execution of capabilietes listed in authorize.conf should generate an audit event (http://www.splunk.com/base/Documentation/4.1.4/admin/AuditSplunkActivity). I did not see any capability defined associated with editing saved searches. Is there a way to enable it or is this the wrong approach.

Thanks for helping me

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-27-2010 03:44 PM

I put all my apps in version control; which obviously includes the savedsearches.conf file.

This approach certainly requires more effort, but it also helps to recover if any weird things get changed. Also revision control gives the inherent ability to diffs and roll back. One thing that you can't really do is figure out "who" exactly, since everything is just in a text file so there's no real way of knowing who made what change if it was made from the web interface.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-27-2010 03:44 PM

I put all my apps in version control; which obviously includes the savedsearches.conf file.

This approach certainly requires more effort, but it also helps to recover if any weird things get changed. Also revision control gives the inherent ability to diffs and roll back. One thing that you can't really do is figure out "who" exactly, since everything is just in a text file so there's no real way of knowing who made what change if it was made from the web interface.

Reply
Solved! Jump to solution

chris
Motivator
‎08-27-2010 11:33 PM

Thanks. We were thinking about that, I was just wondering whether there was a way to do this built into splunk.

0 Karma
Reply
Solved! Jump to solution

jfraiberg
Communicator
‎08-27-2010 01:19 PM

Why not just add that file to splunk to watch. than you can do diffs on it every time it changes.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...