We have observed that someone has changed the thresholds for KPI's in ITSI. How to find who has modified the KPI threshold value?
This should be available in the audit logs. You should also look into locking down your environment so only admins can modify it
The search would look something like this
index=_audit <KPI NAME> user=*
Thanks For your reply!
It's not giving any events where the kpi has been modified indeed its just giving my audittrail events as shown below.
Audit:[timestamp=04-24-2018 17:36:50.310, user=admin, action=search, info=granted , search_id='ta_1524584210.38087_B8645B6F-C9F8-4013-A050-64BFA9497983', search='typeahead prefix="index=_audit \"vmDisk>=90\" user=* 5d628db90cd04e7608349769" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', savedsearch_name=""][n/a]