What would be the recommended Log Levels for the different Audit Log channels?

Path Finder

Hi All,

This is more a general inquiry

I noticed that the _audit index collects a lot of activity, but it's not really telling in detail what actually has been done (if anything at all) .. edit user / edit role / edit index / remove ...


What would be the recommended Log Levels for the different Audit Log channels?

If  I would like to see in details what has been changed for a certain index, what Log channel(s) and what Log Level(s) would result in showing that information?

Note, that in our environment any changes to indexes are done  in the (Linux) server directly, not using the UI

Thanks in advance!







Labels (1)
0 Karma


Splunk audit log is known to be weak in some respects and I don't know that changing the log level will help.

Changes made outside the UI (or REST API) do not appear in the audit log that won't help you track changes to the indexes.

Consider upgrading to Splunk 9.x and enabling the Configuration Tracker.  It will log changes to pretty much any .conf file and log them to the _configtracker index.  Unfortunately, even Config Tracker does not specify which person made the change.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...