Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Any ideas on Auditing Content Library?

gazoscreek
Path Finder
‎02-14-2023 08:58 AM

I need to provide audit details on our ES Content Library. Using rest, I can identify searches that have been updated and when they were updated, but the rest call only reports on the owner of the search, not the person who made the change.

| rest splunk_server=local /servicesNS/-/-/saved/searches
| fields title search eai:acl.owner eai:acl.app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id 
| convert timeformat="%Y-%m-%dT%H:%M:%S+00:00" mktime(updated)
| where updated >= relative_time(now(), "-4h")


Looking at conf.log I can see when a search was written:

index="_internal" source="/opt/splunk/var/log/splunk/conf.log" earliest=-30h WRITE_STANZA
| stats values(data.optype_desc) values(data.payload.children.action.correlationsearch.label.value) values(data.payload.children.search.value)


Neither of these searches tell me who was the individual writing the search.

Any other ideas as to how I can accomplish this?

Thank you.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-14-2023 12:30 PM

Splunk does not record the name of the person who changed a search.

One workaround is to make all changes in git and push them to Splunk on a regular basis.  Any on-line changes would be overwritten by the push so users would have to use git if they want permanent changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...