Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I need a query to get the new created use cases for the last 7 days

yazeed
New Member
‎02-25-2024 11:48 PM

I need a query to get the new created use cases in the last 7 days and another query to get the fine tuned use cases for the last 7 days.

Labels (1)
Labels
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-28-2024 06:07 AM

@yazeed 

 

Splunk's _configtracker can be used to monitor changes to alerts and saved searches in Splunk.

The _configtracker index:

With Splunk 9, the _configtracker index was introduced. This index stores changes to Splunk configuration files, including the date and time of the change, as well as all the new and old values associated with the modified item.

However, the data in _configtracker has a limitation: it only monitors changes to configuration files. Consequently, a crucial piece of information is missing from these logs: the user responsible for the change. While it does provide a record of the previous and updated settings, this information is not available in the same event. Therefore, to create a comprehensive alert, we need to perform data aggregation and enrichment.

For instance, after the described change to the Windows failed logons alert use case, the configtracker will contain two related events. Note the search looks in the _configtracker index, for a configuration update, where the changed item (data.changes{}.stanza) is specified, and particularly for a saved search being changed, independently of the app and Splunk installation directory ("*/savedsearches.conf").

Here is the SPL query:

index=_configtracker component=ConfigChange data.action=update data.changes{}.stanza=* data.path="*/savedsearches.conf"

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-26-2024 05:21 AM

What exactly do you mean by "new created use cases" and "fine tuned use cases"?  What queries have you tried?  How did those queries not meet expectations?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

yazeed
New Member
‎02-26-2024 05:33 AM

Is there any possible queries to get the list of new created use case from ES and the fine tuned use cases and the non triggered use cases for the last 7 days.

I have searched over internet but unfortunately did not found as I have found only the list of enabled disabled and triggered use cases.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-26-2024 06:32 AM

Repeating the OP does not answer my questions. 

Please use different words to explain what you are looking for.

Perhaps the _configtracker index has the information you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...