How to edit my search on modified files to include...

fmpa_isaac · ‎04-27-2016

I currently have an alert set to notify me on any mass modification files over 100. The alert only provides the User, Operation, Source, and Count. I am now being asked to provide the details (what got changed) along with the alert. For example, I would like the alert to not only contain the count per operation, but the actual record of what got changed. Please see my current search string below.

sourcetype=udp:514 host = 10.0.0.3 "D:\\Data"   NOT Read   NOT Permissions | stats  count by user, operation, machine_source | rename user as User, operation as Operation, machine_source as Source,  | sort -count  | search count>100

Thank you!

sundareshr · ‎04-27-2016

Like this
.... | stats count list(details) as whatchanged by user, operation, machine_source | rename ....

splunkfmpa · ‎04-27-2016

Thank you but how do I remove those extra fields? thanks

How to edit my search on modified files to include additional details (what got changed) for an alert?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How to edit my search on modified files to include additional details (what got changed) for an alert?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!