Is it possible in Splunk to know who has disabled a saved search and when?



I would like to know is there a way to find out when a savedsearch has been disabled and who has disabled the same. I want to know the details as I have multiple users having admin privileges and it's difficult to keep a track of the changes made to the savedsearches.

Thank You.


Hi @MousumiChowdhury,

Yes you can check search head servers splunkd_access.log and events should be like as below - USERNAME [26/Sep/2017:16:02:10.107 +0100] "POST /servicesNS/nobody/APP_NAME/saved/searches/SCHEDULED_SEARCH_NAME/disable HTTP/1.0" 200 27711 - - - 88ms


0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...