×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
D77
Loves-to-Learn Lots
Member since: ‎08-25-2024
‎08-30-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-25-2024
View All

Re: Changes (regression?) to export activity audit...

by in Splunk Enterprise Security
‎08-30-2025 07:55 PM
‎08-30-2025 07:55 PM
@PickleRick  - thanks for your reply. It appears we have differing thoughts on this. If I lose something that has provided me utility in the past, I then to think or that as a regression. Export events in my view are things an organisation should most care about from an intellectual property and security perspective. We do actually forward pertinent events from _internal (including these exports events) to a collection engine for long term storage. However the export events in v9 are now less useful to us. Additionally, not every organisation would forward their events so having the audit that really counts in _audit still seems prudent to me. I don't think that my desire for index=_audit to be a historical record for auditing and forensic purposes is excessive.  ... View more

Re: Changes (regression?) to export activity audit...

by in Splunk Enterprise Security
‎08-30-2025 07:25 PM
‎08-30-2025 07:25 PM
@livehybrid - Thanks for your response. I have passed to our engineering team to test. I have previously added my thoughts to a splunk idea in the same thread (rather than create a new idea): https://ideas.splunk.com/ideas/EID-I-1964 But it doesn't appear to get much traction. I have however appended my new findings  to that idea so the concerns are not lost. ... View more

Changes (regression?) to export activity audit log...

by in Splunk Enterprise Security
‎08-28-2025 02:58 AM
‎08-28-2025 02:58 AM
In Splunk v7 we used to search index=_internal to find events that contained GET AND "/results/export?output"  This provided us with information about who had performed the export, in which App, how long the download took, bytes downloaded and which fields had been download, etc In Splunk 9 we have had to switch to searching index=_internal for POST and "/results/export". From reading it looks like GET has been deprecated, not that the HTTP method really matters to us. However the appended list of fields that were downloaded with the export activity no longer appears to be generated. For us this is an unfortunate regression as it limits our visibility to quickly assess what has been downloaded without needing to re-generate the search. It would be useful to understand why the downloaded field set is no longer part of the export event. And whether there is something we can potentially configure to enable this to be visible in the events again. On an aside we feel that these events would be better located in the index=_audit as the index=_internal rolls pretty quickly, so if not constantly forwarding elsewhere visibility of such export activity is transient (noting that there is also an export event generated in _audit but we find that log event of less utility in compliance checks). ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-30-2025 07:10 PM