Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to track and audit deleted ticket/case/investigation to build a report identifying this information?

sksplunk16
Engager
‎05-02-2016 10:51 AM

Is there a way to track and audit deleted ticket/case/investigation? I am looking to see if I can build a report identifying this info.

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎05-02-2016 01:43 PM

Splunk notable events -- absolutely, this is easily doable. If you are using Splunk Enterprise Security, you will find under the Audit menu, a dashboard called Incident Review Audit. This contains a variety of metrics surrounding notable events, but you can always dig deeper and do your own analytics. If you click Open in Search for any of those, you will find searches that start with:

| `incident_review`

This is a macro for:

inputlookup append=T incident_review_lookup | ....

Which is where all the incident review activity lives. This should give you all the audit details you could desire for your reporting.

View solution in original post

Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎05-02-2016 01:43 PM

Splunk notable events -- absolutely, this is easily doable. If you are using Splunk Enterprise Security, you will find under the Audit menu, a dashboard called Incident Review Audit. This contains a variety of metrics surrounding notable events, but you can always dig deeper and do your own analytics. If you click Open in Search for any of those, you will find searches that start with:

| `incident_review`

This is a macro for:

inputlookup append=T incident_review_lookup | ....

Which is where all the incident review activity lives. This should give you all the audit details you could desire for your reporting.

Reply
Solved! Jump to solution

sksplunk16
Engager
‎05-02-2016 03:34 PM

Thanks David. That's what I am looking for. But the only issue is these capabilities don't track incident deletion. If an incident gets deleted, It's no longer available in the "Incident Review" dashboard or the lookup table. I am trying to find a way to report on those that gets deleted.

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎05-02-2016 03:52 PM

Gotcha. The only way to actually delete an incident is using the | delete command on index=notable. Its inadvisable to enable | delete and I would recommend monitoring that via process and index=_audit.

0 Karma
Reply
Solved! Jump to solution

sksplunk16
Engager
‎05-02-2016 01:05 PM

Hi David,

Additional clarification - By ticket/case/investigation I am referring to Splunk notable events that are actively open and being investigated.

Thanks!

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎05-02-2016 11:26 AM

Can you provide some more detail on what you're looking for, what data sources you have, etc.?

0 Karma
Reply
Solved! Jump to solution

sksplunk16
Engager
‎05-02-2016 11:44 AM

Hi David,

Thanks for your response. I am not targeting any data source specifically, I am looking to get a daily report Splunk incident/case/investigation that've been deleted by any authorized Splunk users.
I hope that helps clarify the question.

Thanks!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-02-2016 12:28 PM

As far as I know, there is not feature in Splunk which is incident/case/investigation. It looks like you've some data stored in Splunk which corresponds to incident/case/investigation? Is that correct ?

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...