we have like couple of admins, myself power, i want to create a alert any one of them made any changes. please share some commands, instead of links and docs.
Since the definition of anyone made any changes
is vague however general changing
actions shall include create, edit, change, delete
keywords. The way to find these keywords for users can be done as follows:
index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action
There might be some other keywords like embed, restart, update etc.
which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin
user.
Since the definition of anyone made any changes
is vague however general changing
actions shall include create, edit, change, delete
keywords. The way to find these keywords for users can be done as follows:
index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action
There might be some other keywords like embed, restart, update etc.
which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin
user.
Thanks for you response buddy, can i create an alert for this command. every time they made change, alert comes up. do i need to change in command. Thanks.
index=_audit (action=*edit* OR action=*create* OR action=*delete* OR action=*change* OR action=*embed* OR action=*restart* OR action=*update*) user=admin| stats count by user, action
You have to have admin rights to search index=_audit
. If you do, then above command can be saved as an alert.
I really appreciate for you concern, i have question. i created alert using above logic, but here i want alert with information with who did trigger and what he trigger all information in email. can you please help me out of this.
When you run this search, you have an option of Save As Alert
. In the Alert Trigger Actions
there is an option of Add Action > Send Email > When Triggered > Include
hich can be used to send the results as attachments
or inline as table
.
I created an alert and deleted an alert to try to see if the above search triggers an event. I do get results with the above query. But, not useful information like admin created an alert or deleted an alert and the alert name. Is there some query I am looking for. Is it possible on the first hand?