Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to find out if someone modified an index or deleted eventdata from an index ?

damode
Motivator
‎08-08-2018 10:23 PM

I had a test_index index created where I was sending all test data. However, out of nowwhere, today I see all data gone from it.

How can I find out which user messed up with this index ?

Tags (1)
0 Karma
Reply

pruthvikrishnap
Contributor
‎08-08-2018 11:33 PM

alt text

Preview file
65 KB
Reply

mhouse333
Loves-to-Learn Lots
‎02-02-2022 02:58 PM

There is no object field anywhere in the data for:

index=_audit user=* action=indexes_edit

This is even with searching against the last 90 days.  Why is that?

 

0 Karma
Reply

damode
Motivator
‎08-09-2018 12:16 AM

With that, I only got one result same as the first in your screenshot - Operation=create. I am suspecting someone ran splunk clean eventdata -index test_index on cli.

Is there anyway to find user who executed this command ?

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...