Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to query to monitor new inputs

sarit_s
Communicator
‎02-14-2022 06:09 AM

Hello

I want to monitor if user run new search in our environment or created new alert 
i tried to use this query :

 

|rest /services/saved/searches | search action.email.to=* OR action.email.to=*  | where  disabled=0  | table title , search , updated

 

the problem is that there is no time field in order to compare the 'updated' value with time to know if there is something new.

is there any other way to check new entries ?

Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-14-2022 06:54 AM

The updated field gives you the time it was updated - can you compare that to now()?

0 Karma
Reply

sarit_s
Communicator
‎02-14-2022 07:26 AM

does 

|rest /services/saved/searches

returns only saved searches or also real time searches ?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-14-2022 08:11 AM

Hi

I think that you should use REST Endpoint 

| rest /servicesNS/-/-/saved/searches

to get all users saved searches from all apps. With your original you didn't get those.

I think that you get only alerts/reports etc. which are stored into savedsearches.conf not those which users are currently running as add hoc. But best to check it unless someone can confirm this.

To check if there are any new savedsearches which has modified you must generate lookup where you stored those modified times and then check if that differs now.

r. Ismo

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-14-2022 08:41 AM

Tom West does a good presentation on Dashboarding Wowzas at BSides (BSides Splunk Conference) and other places where he presents version control for dashboards. This could easily be modified to deal with searches.

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...