How to run a search to determine whether an app has been uploaded through GUI/Rest API?

New Member

I am looking to audit any user that uploads to splunk through the User interface or REST API 

After doing some investigation I have found that the endpoints /services/app/local is the REST API endpoint that can be used to post an application. I was wondering whether splunk internally posts to that API when you utilise the GUI so by auditing that log you can get both use cases. 

I have crafted the below search to isolate these events and confirmation that this works would be awesome!

index=_internal sourcetype=splunkd_access /services/apps/local method=POST

Appreciate all assistance. 

Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...