Splunk Search

tracking Splunk modifications

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I have to track Splunk modifications (Correlation Searches,, conf files, etc...).

I tried to use the _configtracker index that is complete and answers to all my requirements, but it doesn't track the user that does an action.

How could do this?

Thank you for your help.

Ciao.

Giuseppe

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Maybe this helps you in future

"Did we just lose ALL our knowledge objects? Do you know how much time and energy that was?" After a destructive resync, Paychex lost two months of its knowledge object creations/modifications. We learned to be prepared if it were to ever happen again. How? It's easier than you might think, and you don't have to be an admin. You’ll learn how to proactively save your work (dashboards, reports, data models, MLTK experiments, ITSI glass tables, macros, views, etc.) and audit changes when they occur. You will leave the session knowing how to manage the ever-increasing amount of things you create. You'll also have solutions that can save you time and effort from having to recreate lost/modified objects, including how to restore service faster. You also will come away with peace of mind knowing that you can take control of safeguarding and protecting your work, thereby covering your assets when a disaster happens.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @isoutamo,

it seems to be the solution to my requirement, but the results arestrange:

in my environment I don't see the object creation events,

the edited and deleted activities are only n data and not on objectes as Correlation Searches and they never are on the custom app I'm using for the ES customizations.

If I filter for my App, I see as ativity only "Correlation search" that seems to by the running of the Correlation Search, not the modification.

I have to make some additional test!

Too bad that the _configtracker indication does not also contain user tracking otherwise it would be the perfect solution for my requirement.

Thank you for your help, if you have some additional hint, please let me know.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I think the at least one presenter is quite active on slack. So you could try to ask help from him.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...