Hi!
I would like to know is there a way to find out when a savedsearch has been disabled and who has disabled the same. I want to know the details as I have multiple users having admin privileges and it's difficult to keep a track of the changes made to the savedsearches.
Thank You.
Hi @MousumiChowdhury,
Yes you can check search head servers splunkd_access.log
and events should be like as below
127.0.0.1 - USERNAME [26/Sep/2017:16:02:10.107 +0100] "POST /servicesNS/nobody/APP_NAME/saved/searches/SCHEDULED_SEARCH_NAME/disable HTTP/1.0" 200 27711 - - - 88ms
Thanks,
Harshil