Can someone point me in the right direction to find info concerning auditing Splunk Cloud role changes? Specifically, I need to find out who/when an index access change occurred for a role in our Splunk Cloud deployment. I have tried searching the audit index, yet I don't get any info that says: `this user account________ on this date__________ modified the index access list for this role________`?
Thank you.
Peter,
I developed a report that runs each week, and sends me the reults fo the following search string:
index=_audit source=audittrail operation=edit action!=search action=edit_roles
You could modify this search with other parameters that suit your particular needs or frequency. The above, will show you all mods made to the admin role. I hope that helps. Thanks!
Problem Solved.
@nthornbury - Were you ever able to get this solved?
Yes, I am good to go on this one. Thank you for the follow-up!
Would you be so kind and share how you solved it, so that others can benefit from the info.