Solved: Find user that uploaded an app

ccsfdave · ‎03-04-2014

Greetings,

I am trying to find a way to see which user uploaded an app into our Splunk instance. The permissions are not as required and the user needs further training. Now all I have to do is identify which user did it.

Thanks,

Dave

lguinn2 · ‎03-04-2014

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

View solution in original post

lguinn2 · ‎03-04-2014

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

Find user that uploaded an app

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Find user that uploaded an app

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES