Splunk Search

Audit splunk

astatrial
Contributor

It is unclear for me why there isn't any easy and comfortable way to search all the objects that have been changed on Splunk.

It is very basic and this that admins need, in order to be in control over the environment.

I have this query, that i find on an answer here, and added some changes:

index=_internal (sourcetype=splunkd_ui_access OR sourcetype=splunkd_access)
    ( method=POST OR method=DELETE)
    ( user!=splunk-system-user user!=- )
    ( uri_path=/servicesNS/* OR uri_path=/en-US/splunkd/__raw/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!="/servicesNS/*/mobile_access*" uri_path!="*/ui/prefs*" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/jobs/*/control" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/ui/ui-tour*") 
| replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path 
| replace "/en-US/splunkd/__raw*" with "*" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6 
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" ) 
| rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)" 
| eval object_name = urldecode( object_name ) 
| convert ctime(_time) timeformat="%m/%d/%Y %H:%M:%S" 
| table _time, user, object_name, object_type, activity
| dedup _time, user, object_name​

But it is not quite good, as there seem to be a lot of false positive stats.

Can someone please help me accomplish this?

*** I am not familiar with the fields of the internal logs and i couldn't find any description or details about it, so it can be useful too.

Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?

Thanks !

0 Karma

DavidHourani
Super Champion

Hi @astatrial,

Try this for a base search to get the list of actions for any changes, you can then filter on specific objects or actions :

index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action

As for "Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?" the answer is no. The internal log structure remains the same.

Cheers,
David

0 Karma

astatrial
Contributor

Hi David,
Thanks for your response.
I already tried using the _audit index but it seems to have a lot of irrelevant events too, and in addition it doesn't contain some actions (for example, i created a report and search for the event in _audit and it wasn't there by the name of the search).

The actions that i am looking for are on objects like (reports, alerts, indexes, lookups, DM, correlation searches, sourcetypes, etc..)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...