What can I search for in _internal data to monitor...

thezero · ‎02-08-2016

HI Team,

I am trying to configure some alerts for tracking all Splunk admin activities like mentioned below where changes are performed via UI or command line. Logs available in _audit index are very inadequate as it only gives info about actions performed, but not about who performed the action and other info. Please advise some sample searches or keywords to search in _internal logs or other places for following Splunk admin activities

Splunk user Account creation/deletion/modification
New index creation /deletion
splunk restart
change any config file
crate role/app etc

adonio · ‎02-23-2017

Hi thezero,
Here are some seaerches that answer your questions above:

Splunk user Account creation/deletion/modification
index = _audit user=admin action=edit_user operation= | table _time user operation object*
create / modify role
index="_audit" action=edit_roles operation= | table _time user operation object*

New index creation /deletion
index = _audit user=admin action=indexes_edit
index = _internal component=IndexWriter message="*Initializing" component=IndexWriter | table _time idx | rename idx as "New Index"*
Index Removed
index = _audit user=admin action=indexes_edit object= | table user action object*

Splunk restart
index=_internal source=*splunkd.log "(build"*
from:
https://answers.splunk.com/answers/242618/how-to-count-the-number-of-times-splunk-is-restart.html

Regards,

What can I search for in _internal data to monitor/audit Splunk admin activities?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM