- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to pull a audit trail logs who made changes fr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have like couple of admins, myself power, i want to create a alert any one of them made any changes. please share some commands, instead of links and docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the definition of anyone made any changes is vague however general changing actions shall include create, edit, change, delete keywords. The way to find these keywords for users can be done as follows:
index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action
There might be some other keywords like embed, restart, update etc. which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the definition of anyone made any changes is vague however general changing actions shall include create, edit, change, delete keywords. The way to find these keywords for users can be done as follows:
index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action
There might be some other keywords like embed, restart, update etc. which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you response buddy, can i create an alert for this command. every time they made change, alert comes up. do i need to change in command. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_audit (action=*edit* OR action=*create* OR action=*delete* OR action=*change* OR action=*embed* OR action=*restart* OR action=*update*) user=admin| stats count by user, action
You have to have admin rights to search index=_audit. If you do, then above command can be saved as an alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really appreciate for you concern, i have question. i created alert using above logic, but here i want alert with information with who did trigger and what he trigger all information in email. can you please help me out of this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you run this search, you have an option of Save As Alert. In the Alert Trigger Actions there is an option of Add Action > Send Email > When Triggered > Include hich can be used to send the results as attachments or inline as table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created an alert and deleted an alert to try to see if the above search triggers an event. I do get results with the above query. But, not useful information like admin created an alert or deleted an alert and the alert name. Is there some query I am looking for. Is it possible on the first hand?
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
