Is there any way to find out if any new alert or dashboard is being created in splunk system?
This is not returning the name of alert which user recently created. I want it in tabular for with user, Time and the name of alert/Dashboard created.
Hi,
Try this query:
index=_internal sourcetype=splunkd_ui_access editxml OR edit method=post ui/views/
| rex field=referer "/(?<edit_type>editx?m?l?)(\?|$)"
| rex field=other "\s*?\-\s*(?<sessionId>[\S]+)\s*"
| table _time user clientip sessionId edit_type file useragent
| rename file as dashboard