Splunk Search

tracking Splunk modifications

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I have to track Splunk modifications (Correlation Searches,, conf files, etc...).

I tried to use the _configtracker index that is complete and answers to all my requirements, but it doesn't track the user that does an action.

How could do this?

Thank you for your help.

Ciao.

Giuseppe

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Maybe this helps you in future

"Did we just lose ALL our knowledge objects? Do you know how much time and energy that was?" After a destructive resync, Paychex lost two months of its knowledge object creations/modifications. We learned to be prepared if it were to ever happen again. How? It's easier than you might think, and you don't have to be an admin. You’ll learn how to proactively save your work (dashboards, reports, data models, MLTK experiments, ITSI glass tables, macros, views, etc.) and audit changes when they occur. You will leave the session knowing how to manage the ever-increasing amount of things you create. You'll also have solutions that can save you time and effort from having to recreate lost/modified objects, including how to restore service faster. You also will come away with peace of mind knowing that you can take control of safeguarding and protecting your work, thereby covering your assets when a disaster happens.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @isoutamo,

it seems to be the solution to my requirement, but the results arestrange:

in my environment I don't see the object creation events,

the edited and deleted activities are only n data and not on objectes as Correlation Searches and they never are on the custom app I'm using for the ES customizations.

If I filter for my App, I see as ativity only "Correlation search" that seems to by the running of the Correlation Search, not the modification.

I have to make some additional test!

Too bad that the _configtracker indication does not also contain user tracking otherwise it would be the perfect solution for my requirement.

Thank you for your help, if you have some additional hint, please let me know.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I think the at least one presenter is quite active on slack. So you could try to ask help from him.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...