Splunk IT Service Intelligence

how to find the user who has modified KPI in itsi?

mallempatisreed
Explorer

hi Team,

We have observed that someone has changed the thresholds for KPI's in ITSI. How to find who has modified the KPI threshold value?

Thanks,
Sree

skoelpin
SplunkTrust
SplunkTrust

This should be available in the audit logs. You should also look into locking down your environment so only admins can modify it

The search would look something like this

index=_audit <KPI NAME> user=* 
0 Karma

mallempatisreed
Explorer

Thanks For your reply!

It's not giving any events where the kpi has been modified indeed its just giving my audittrail events as shown below.

24/04/2018
17:36:50.310

Audit:[timestamp=04-24-2018 17:36:50.310, user=admin, action=search, info=granted , search_id='ta_1524584210.38087_B8645B6F-C9F8-4013-A050-64BFA9497983', search='typeahead prefix="index=_audit \"vmDisk>=90\" user=* 5d628db90cd04e7608349769" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', savedsearch_name=""][n/a]

Thanks,
Sree

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...