Any ideas on Auditing Content Library?

gazoscreek · ‎02-14-2023

I need to provide audit details on our ES Content Library. Using rest, I can identify searches that have been updated and when they were updated, but the rest call only reports on the owner of the search, not the person who made the change.

| rest splunk_server=local /servicesNS/-/-/saved/searches
| fields title search eai:acl.owner eai:acl.app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id 
| convert timeformat="%Y-%m-%dT%H:%M:%S+00:00" mktime(updated)
| where updated >= relative_time(now(), "-4h")

Looking at conf.log I can see when a search was written:

index="_internal" source="/opt/splunk/var/log/splunk/conf.log" earliest=-30h WRITE_STANZA
| stats values(data.optype_desc) values(data.payload.children.action.correlationsearch.label.value) values(data.payload.children.search.value)

Neither of these searches tell me who was the individual writing the search.

Any other ideas as to how I can accomplish this?

Thank you.

richgalloway · ‎02-14-2023

Splunk does not record the name of the person who changed a search.

One workaround is to make all changes in git and push them to Splunk on a regular basis. Any on-line changes would be overwritten by the push so users would have to use git if they want permanent changes.

---
If this reply helps you, Karma would be appreciated.

Any ideas on Auditing Content Library?

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life