Splunk Search

How to create a search to check which user disabled/enabled alert?

AnmolKohli
Explorer

Splunk query to check which user disabled/enabled alert.

woodcock
Esteemed Legend

See what is in the logs like this:

index=_audit "disabled alert name here"

inventsekar
SplunkTrust
SplunkTrust

not sure @woodcock if the new version updated the audit log formats/my old 7.3 does not have yet your search query format,.. but i created a test alert and disabled and queried the audit index, but no match. something fishy.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

AnmolKohli
Explorer

We have a report built in splunk that runs whenever any alert is disabled by a user in splunk. I want to find the user who has disabled the alert.Is this doable?

cmeisch
Path Finder

Has this been answered... I am looking for the same thing as to WHO has done what?

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @cmeisch 

you can with following query 

index="_internal" sourcetype="splunkd_ui_access" file IN (disable,enable) 

i tried enable/disbale one of saved  it , enable disable logs are showing with username who did that action

 

SanjayReddy_0-1646753164131.png

 

cmeisch
Path Finder

Thanks for the response.  What I am trying to do is to see when a rule has been enabled\disabled and by who.  I Your suggestion will give me who has disabled\enabled but I am trying to figure out what was enabled\disabled... BUT I am closer thanks to you!

 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @cmeisch 


index="_internal" sourcetype="splunkd_ui_access" file IN (disable,enable)
| table _time user uri file

I am not good at regex😁, but hightlited  the savedsearch name on which action done , 
after searches/ word is the report/alert name followed by action 

SanjayReddy_0-1646754361992.png

---
If this reply helps you, an upvote/Karma would be appreciated.

0 Karma

not_for_sale_b
New Member

Oh my god finally, someone found it.  Here is a revised query that works a little better and shows the "files" (searches) enabled by a particular user and decodes them to make them easier to read.  

 

index="_internal" sourcetype=splunkd_ui_access method=POST
| eval file=urldecode(file)
| stats values(file) by user

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

Care to elaborate?

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...