Splunk ITSI

how to find the user who has modified KPI in itsi?

mallempatisreed
Explorer

hi Team,

We have observed that someone has changed the thresholds for KPI's in ITSI. How to find who has modified the KPI threshold value?

Thanks,
Sree

skoelpin
SplunkTrust
SplunkTrust

This should be available in the audit logs. You should also look into locking down your environment so only admins can modify it

The search would look something like this

index=_audit <KPI NAME> user=* 
0 Karma

mallempatisreed
Explorer

Thanks For your reply!

It's not giving any events where the kpi has been modified indeed its just giving my audittrail events as shown below.

24/04/2018
17:36:50.310

Audit:[timestamp=04-24-2018 17:36:50.310, user=admin, action=search, info=granted , search_id='ta_1524584210.38087_B8645B6F-C9F8-4013-A050-64BFA9497983', search='typeahead prefix="index=_audit \"vmDisk>=90\" user=* 5d628db90cd04e7608349769" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', savedsearch_name=""][n/a]

Thanks,
Sree

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...