I have a requirement to be able to check and provide alerts if a customers dashboards have been tampered with. I have found the following search
seems to pick up edits (see screenshot).
Im just wondering if this is the best way to check for editing? Or if anyone can share with me their thoughts and findings in checking for edits to existing pages.
this is what i use:
index=_internal sourcetype=splunkd_ui_access method=post ui/views (edit OR editxml) | table user, req_time, file | rename file as dashboard req_time as editTime
it gives me the user, the time of editing and what dashboard.
I have found that I must remove the '(edit OR editXML)' part of the query and add 'NOT StreamedSearch' to get the actual results.