Can you provide some more detail on what you're looking for, what data sources you have, etc.?
Thanks for your response. I am not targeting any data source specifically, I am looking to get a daily report Splunk incident/case/investigation that've been deleted by any authorized Splunk users.
I hope that helps clarify the question.
As far as I know, there is not feature in Splunk which is incident/case/investigation. It looks like you've some data stored in Splunk which corresponds to incident/case/investigation? Is that correct ?
Additional clarification - By ticket/case/investigation I am referring to Splunk notable events that are actively open and being investigated.
Splunk notable events -- absolutely, this is easily doable. If you are using Splunk Enterprise Security, you will find under the Audit menu, a dashboard called Incident Review Audit. This contains a variety of metrics surrounding notable events, but you can always dig deeper and do your own analytics. If you click Open in Search for any of those, you will find searches that start with:
This is a macro for:
inputlookup append=T incident_review_lookup | ....
Which is where all the incident review activity lives. This should give you all the audit details you could desire for your reporting.
Thanks David. That's what I am looking for. But the only issue is these capabilities don't track incident deletion. If an incident gets deleted, It's no longer available in the "Incident Review" dashboard or the lookup table. I am trying to find a way to report on those that gets deleted.
Gotcha. The only way to actually delete an incident is using the
| delete command on index=notable. Its inadvisable to enable
| delete and I would recommend monitoring that via process and index=_audit.