Splunk IT Service Intelligence

how to find the user who has modified KPI in itsi?

mallempatisreed
Explorer

hi Team,

We have observed that someone has changed the thresholds for KPI's in ITSI. How to find who has modified the KPI threshold value?

Thanks,
Sree

skoelpin
SplunkTrust
SplunkTrust

This should be available in the audit logs. You should also look into locking down your environment so only admins can modify it

The search would look something like this

index=_audit <KPI NAME> user=* 
0 Karma

mallempatisreed
Explorer

Thanks For your reply!

It's not giving any events where the kpi has been modified indeed its just giving my audittrail events as shown below.

24/04/2018
17:36:50.310

Audit:[timestamp=04-24-2018 17:36:50.310, user=admin, action=search, info=granted , search_id='ta_1524584210.38087_B8645B6F-C9F8-4013-A050-64BFA9497983', search='typeahead prefix="index=_audit \"vmDisk>=90\" user=* 5d628db90cd04e7608349769" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', savedsearch_name=""][n/a]

Thanks,
Sree

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!