Splunk Search

How to edit my search on modified files to include additional details (what got changed) for an alert?

fmpa_isaac
Path Finder

I currently have an alert set to notify me on any mass modification files over 100. The alert only provides the User, Operation, Source, and Count. I am now being asked to provide the details (what got changed) along with the alert. For example, I would like the alert to not only contain the count per operation, but the actual record of what got changed. Please see my current search string below.

sourcetype=udp:514 host = 10.0.0.3 "D:\\Data"   NOT Read   NOT Permissions | stats  count by user, operation, machine_source | rename user as User, operation as Operation, machine_source as Source,  | sort -count  | search count>100

Thank you!

0 Karma

sundareshr
Legend

Like this
.... | stats count list(details) as whatchanged by user, operation, machine_source | rename ....

0 Karma

splunkfmpa
New Member

Thank you but how do I remove those extra fields? thanks

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!