Splunk ITSI

how to find the user who has modified KPI in itsi?

mallempatisreed
Explorer

hi Team,

We have observed that someone has changed the thresholds for KPI's in ITSI. How to find who has modified the KPI threshold value?

Thanks,
Sree

skoelpin
SplunkTrust
SplunkTrust

This should be available in the audit logs. You should also look into locking down your environment so only admins can modify it

The search would look something like this

index=_audit <KPI NAME> user=* 
0 Karma

mallempatisreed
Explorer

Thanks For your reply!

It's not giving any events where the kpi has been modified indeed its just giving my audittrail events as shown below.

24/04/2018
17:36:50.310

Audit:[timestamp=04-24-2018 17:36:50.310, user=admin, action=search, info=granted , search_id='ta_1524584210.38087_B8645B6F-C9F8-4013-A050-64BFA9497983', search='typeahead prefix="index=_audit \"vmDisk>=90\" user=* 5d628db90cd04e7608349769" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', savedsearch_name=""][n/a]

Thanks,
Sree

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...