Hello,
Can someone help me with a search to find out whether any changes has been made to the splunk reports(ex:paloalto report) in last 30 days.
thanks
Hi @Roy_9,
Changes should be logged in index=_audit:
index=_audit host IN (sh) action=modified info=succeeded savedsearch_name=xyz earliest=-30d
Replace "sh" with a list of your search head host names and "xyz" with the name of the report.
