We have multiple people making changes to the content in Splunk Enterprise Security and I need to be able to track down when someone changed content.
On Splunk Enterprise 7.0.3, I can see write to content objects using the following search:
index=_internal sourcetype=splunkd_conf "data.task"=addCommit "data.optype_desc"=WRITE_STANZA
The data.asse_uri field has the object that was changed and the data.payload has more details For
example, data.payload.children.search.value has the search string written to a report.
Definitely, and I think Adonio is right: all depends what you're after. Given the circumstance you mentioned, audit.log & searches.log (if they piped the output of a search to delete) should have a record. Happy splunking!
http://docs.splunk.com/Documentation/Splunk/6.5.3/Troubleshooting/WhatSplunklogsaboutitself
yes sir,
what exactly are you after?
I am trying to see who and when someone change a correlation search in Enterprise Security.
John did you figure out how to do this?
absolutely,
great answers here:
https://answers.splunk.com/answers/387244/anyone-know-of-a-way-of-finding-the-last-modified.html
https://answers.splunk.com/answers/317274/how-can-i-determine-who-modified-a-dashboard.html
there are more answers on this topic in this portal as well
look in _audit and _internal indexes.
you can narrow down by the correlation search name
hope it helps