Dear Splunkers,
I would like to know if there is a reference for all the different actions of the field "action" (edit_sourcetype, edit_token_http, ...) in the Splunk _audit index?
Regards
Benjamin
Yes, these are listed in $SPLUNK_HOME/etc/system/default/authorize.conf
which starts out like this:
# Version 6.5.2
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# commented out capabilities that are registered by their own components.
# leaving here for educational purposes.
# This file creates roles and sets granular access controls.
# These stanzas list all the capabilities in the system
[capability::accelerate_datamodel]
Yes, these are listed in $SPLUNK_HOME/etc/system/default/authorize.conf
which starts out like this:
# Version 6.5.2
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# commented out capabilities that are registered by their own components.
# leaving here for educational purposes.
# This file creates roles and sets granular access controls.
# These stanzas list all the capabilities in the system
[capability::accelerate_datamodel]