I have an audit request to show the last time a report was modified.
Thanks,
Jeremy
Hi zindain24,
How about this:
index="_internal" (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") file!="notify"
| table _time clientip user file | rename file AS saved_search
This will create a table containing time, clientip, user and the saved_search name.
Hope this helps ...
cheers, MuS
Hi zindain24,
How about this:
index="_internal" (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") file!="notify"
| table _time clientip user file | rename file AS saved_search
This will create a table containing time, clientip, user and the saved_search name.
Hope this helps ...
cheers, MuS
Just a small update on this, based on some background discussion with @martin_mueller:
splunkd_ui_access
savedsearches.conf
any other way you will not get it in _internal
because it only covers REST callscheers, MuS
Thanks MuS! Here is what I ended up with:
index="_internal" NOT 201 NOT 400 (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") NOT notify| rex "(?enable|disable)\s" | convert ctime(_time) as time |rex "saved/searches/(?\S+?)[\/|\s]" |rex "^(?:[0-9]{1,3}.){3}[0-9]{1,3}\s-\s(?\w+)" |rex "(?\d+)ms" |table time, User, SearchName, Action, MSExecutionTime | fillnull value="modify/save" |rename MSExecutionTime AS ExecutionTime(ms)