Splunk Enterprise Security

Where I can find changes made related to log source or indexed data?

samlinsongguo
Communicator

Hi Guys
I am looking for do a report on any log source or index setting was changed in last 7 days, where can I get these information, is that in _internal index? If I can not access _internal index is there any other way I can get these information?

In addition, I am looking for what data have been searched in last 7 days, is this information store in _internal index as well? Anywhere else or method I can get these information?

Thanks in advance

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not all config changes will be logged, even in _internal index. Could you explain what all setting you'd like to monitor?
For what people are searching in your Splunk instance, you'd need access to index=_audit.

0 Karma

samlinsongguo
Communicator

I need to generated 2 report
1. index or log source change
2. what data has been used.

I understand these information normally stored in _internal or _audit index but since I am not admin of Splunk I cant get access to it. So I am wondering is there any other way I can get these information.

0 Karma

ddrillic
Ultra Champion

It's in _internal - you better get access to it ; -)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...