Splunk ITSI

how to find the user who has modified KPI in itsi?

mallempatisreed
Explorer

hi Team,

We have observed that someone has changed the thresholds for KPI's in ITSI. How to find who has modified the KPI threshold value?

Thanks,
Sree

skoelpin
SplunkTrust
SplunkTrust

This should be available in the audit logs. You should also look into locking down your environment so only admins can modify it

The search would look something like this

index=_audit <KPI NAME> user=* 
0 Karma

mallempatisreed
Explorer

Thanks For your reply!

It's not giving any events where the kpi has been modified indeed its just giving my audittrail events as shown below.

24/04/2018
17:36:50.310

Audit:[timestamp=04-24-2018 17:36:50.310, user=admin, action=search, info=granted , search_id='ta_1524584210.38087_B8645B6F-C9F8-4013-A050-64BFA9497983', search='typeahead prefix="index=_audit \"vmDisk>=90\" user=* 5d628db90cd04e7608349769" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', savedsearch_name=""][n/a]

Thanks,
Sree

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...