The Splunk Developer’s Guide and the accompanying Splunk Reference App might be helpful in answering your question. A print version is available from Amazon.com.
It was designed by a Splunk dev team to help you learn how to build, test, and deploy apps. The reference app (named PAS) showcases proven practices using the Splunk Developer Platform and includes code that you can download, reuse and even contribute to, code walkthroughs as well as the associated unit and acceptance tests.
The featured example demonstrates how to monitor various document repositories (current and future). Managers and auditors can use the app to see who has viewed, modified, deleted, or downloaded documents or other artifacts from various sources, detect suspicious behaviors, and analyze trends.
Currently an updated version is under development that will expand the functionality,, so even if it’s not relevant now you might want to keep checking to see what’s been added.
... View more