Solved: Find user that uploaded an app

ccsfdave · ‎03-04-2014

Greetings,

I am trying to find a way to see which user uploaded an app into our Splunk instance. The permissions are not as required and the user needs further training. Now all I have to do is identify which user did it.

Thanks,

Dave

lguinn2 · ‎03-04-2014

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

View solution in original post

lguinn2 · ‎03-04-2014

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

Find user that uploaded an app

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation