Splunk Enterprise

how to find out if someone modified an index or deleted eventdata from an index ?

damode
Motivator

I had a test_index index created where I was sending all test data. However, out of nowwhere, today I see all data gone from it.

How can I find out which user messed up with this index ?

Tags (1)
0 Karma

pruthvikrishnap
Contributor

alt text

mhouse333
Loves-to-Learn Lots

There is no object field anywhere in the data for:

index=_audit user=* action=indexes_edit

This is even with searching against the last 90 days.  Why is that?

 

0 Karma

damode
Motivator

With that, I only got one result same as the first in your screenshot - Operation=create. I am suspecting someone ran splunk clean eventdata -index test_index on cli.

Is there anyway to find user who executed this command ?

Thanks.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...