Hi pullu
as dkeck statet splunk is not really good in logging itself.
I tried to apply the following search as an alert on my instances. This search should find only those events where the | delete command was used.
index=_* "*delete*"
| where (user!="" AND method="DELETE" AND q!="")
| append [search index=_internal root="servicesNS" method="DELETE" | eval q=""]
| where NOT like(_raw, "%runshellscript%")
| eval deltype=if(q="","Existing Object","Indexed Data")
| eval delobject=if(q="",file,q)
| sort -_time
| table _time index user method deltype delobject _raw
| rename user AS User_Name method AS Action deltype AS Type delobject AS "What got deleted?" _raw AS Payload
Hi,
thats a nice search. Thank you.
There´s a mismatch in line 3 after method="DELETE". One "]" to much, in the sub search.
Yeah, sorry I deleted some references to lookuptables in the search, so the "]" slipped through
Edit: FIXED!
HI,
sadly splunk is not good in logging itself.
Try to find the same event in index=_internal sourcetype=splunkd_access OR sourcetype=splunk_ui_access
If you are lucky you can see, which data was deleted by whom.
e.g.:
127.0.0.1 - admin [25/Apr/2016:08:34:01.912 +0200] "DELETE /servicesNS/admin/search/saved/eventtypes/test-eventype1 HTTP/1.0" 200 1936 - - - 2ms
Hi,
First of all, thank you for your prompt reply. Unfortunately both indexes suggested above did not return any data.
We're used sourcetype=audittrail to get the list of XMLs deleted however the user value shown is "n/a" which is most probably referring to a job which was automatically run by the system.
Would be a nice thing to have it this would be the case, but as said splunk is not good in logging itself.
I made the experience that often, even with a name-user the user field value will be n/a. There is a user for system operations called "splunk-system-user". Often times you can only figure out that something happend but not who did it...its inconvenient but true.