Splunk Enterprise Security

How to setup an Alert when events indicated changes to all NTP setting on any platform are made?

New Member


I need help on how to setup an Alert when – events indicated changes to all NTP setting on any platform are made for example, GPS appliances, Linux ntp server settings, windows time configurations or registry entries related to windows time.

Appreciate your response.


0 Karma


Hi, Kamal!

This is a rather a big topic, so let's break that down a bit.

First, some background help. The Splunk Fundamentals 1 class is free! I'd suggest that if you haven't taken that yet to do so. This will give you a decent grounding upon which to build.

Then go through the Splunk Tutorial, which is ALSO free.

You may also be able to lean on people at your own company for help or assistance. Do you already have Splunk in place? In that case there's possibly someone who manages this and who can help you more directly than we can here.

In any case, you'll likely need to talk to the people who run/manage/administer those systems to find out how they log, what they log, and what might be your best collection method.

Give you the specific answers to each of the platforms you asked about is far too large of a topic for one answer here. Each of the data sources will be different and will probably need a different approach, and at this time we don't know enough about any one of them to even try giving you an answer - except to start learning more Splunk and to start talking with the people who run those machines/appliances.

BTW, here's one attempt at trying to show someone how to onboard data - Lots of stuff in there, be sure to click the upvote on that answer if you find it useful!

0 Karma



Can we see some samples of your events and a brief description of your alert condition ?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!