I need to provide audit details on our ES Content Library. Using rest, I can identify searches that have been updated and when they were updated, but the rest call only reports on the owner of the search, not the person who made the change.
| rest splunk_server=local /servicesNS/-/-/saved/searches
| fields title search eai:acl.owner eai:acl.app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id
| convert timeformat="%Y-%m-%dT%H:%M:%S+00:00" mktime(updated)
| where updated >= relative_time(now(), "-4h")
Looking at conf.log I can see when a search was written:
index="_internal" source="/opt/splunk/var/log/splunk/conf.log" earliest=-30h WRITE_STANZA
| stats values(data.optype_desc) values(data.payload.children.action.correlationsearch.label.value) values(data.payload.children.search.value)
Neither of these searches tell me who was the individual writing the search.
Any other ideas as to how I can accomplish this?
Thank you.
Splunk does not record the name of the person who changed a search.
One workaround is to make all changes in git and push them to Splunk on a regular basis. Any on-line changes would be overwritten by the push so users would have to use git if they want permanent changes.