What would be the recommended Log Levels for the different Audit Log channels?

Path Finder

Hi All,

This is more a general inquiry

I noticed that the _audit index collects a lot of activity, but it's not really telling in detail what actually has been done (if anything at all) .. edit user / edit role / edit index / remove ...


What would be the recommended Log Levels for the different Audit Log channels?

If  I would like to see in details what has been changed for a certain index, what Log channel(s) and what Log Level(s) would result in showing that information?

Note, that in our environment any changes to indexes are done  in the (Linux) server directly, not using the UI

Thanks in advance!







Labels (1)
0 Karma


Splunk audit log is known to be weak in some respects and I don't know that changing the log level will help.

Changes made outside the UI (or REST API) do not appear in the audit log that won't help you track changes to the indexes.

Consider upgrading to Splunk 9.x and enabling the Configuration Tracker.  It will log changes to pretty much any .conf file and log them to the _configtracker index.  Unfortunately, even Config Tracker does not specify which person made the change.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...