Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

tracking Splunk modifications

gcusello
SplunkTrust
SplunkTrust
‎03-13-2024 07:32 AM

Hi at all,

I have to track Splunk modifications (Correlation Searches,, conf files, etc...).

I tried to use the _configtracker index that is complete and answers to all my requirements, but it doesn't track the user that does an action.

How could do this?

Thank you for your help.

Ciao.

Giuseppe

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-14-2024 12:47 AM

Maybe this helps you in future

"Did we just lose ALL our knowledge objects? Do you know how much time and energy that was?" After a destructive resync, Paychex lost two months of its knowledge object creations/modifications. We learned to be prepared if it were to ever happen again. How? It's easier than you might think, and you don't have to be an admin. You’ll learn how to proactively save your work (dashboards, reports, data models, MLTK experiments, ITSI glass tables, macros, views, etc.) and audit changes when they occur. You will leave the session knowing how to manage the ever-increasing amount of things you create. You'll also have solutions that can save you time and effort from having to recreate lost/modified objects, including how to restore service faster. You also will come away with peace of mind knowing that you can take control of safeguarding and protecting your work, thereby covering your assets when a disaster happens.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-18-2024 02:24 AM

Hi @isoutamo,

it seems to be the solution to my requirement, but the results arestrange:

in my environment I don't see the object creation events,

the edited and deleted activities are only n data and not on objectes as Correlation Searches and they never are on the custom app I'm using for the ES customizations.

If I filter for my App, I see as ativity only "Correlation search" that seems to by the running of the Correlation Search, not the modification.

I have to make some additional test!

Too bad that the _configtracker indication does not also contain user tracking otherwise it would be the perfect solution for my requirement.

Thank you for your help, if you have some additional hint, please let me know.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-18-2024 02:42 AM

I think the at least one presenter is quite active on slack. So you could try to ask help from him.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...