Solved: Find user that uploaded an app

ccsfdave · ‎03-04-2014

Greetings,

I am trying to find a way to see which user uploaded an app into our Splunk instance. The permissions are not as required and the user needs further training. Now all I have to do is identify which user did it.

Thanks,

Dave

lguinn2 · ‎03-04-2014

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

View solution in original post

lguinn2 · ‎03-04-2014

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

Find user that uploaded an app

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor