I am now very new to Splunk. I have installed a Splunk forwarder to monitor Window Security Logs, but would like also build a search to search who deleted and modified files / folder for the last 24 hours. Please point me to the right direction. Also, is it possible to prompt asking to enter the server name or file name when the search is running? Thanks.
Before you can write a search to find out who deleted or modified files on Windows server, you need to enable some sort of file auditing.
Three options currently in Splunk:
In terms of performance, because we wanted to monitor any type of file operation, which includes millions of log entries per hour in some servers, we decided to go for a 3rd party enterprise agent that was known to have a low impact in your server performance, but in your case I would probably go for the native Windows file auditing via event logs.
Once you have your event logs coming into Splunk, simply filter by the relevant index, sourcetype, host and EventCodes based on the Event IDs used by Windows auditing. See this link again for more information.
Hope that helps.
index=<your index> EventCode=<event code for your operation> host=<servername you want> earliest=-24h