Monitoring Splunk

How to check if any alert or dashboard have been changed/modified in splunk

JuhiSaxena
Explorer

I want to create and alert to report any alert or dashboard which have been edited and am using below splunk query to do so. However this is reporting few alerts which are simply opened and no changes were made to them. Please help.

index=_internal sourcetype=splunkd_ui_access *  method=POST NOT "/search/jobs" "/saved/searches" OR "data/ui/views" 
| eval Time=strftime(_time, "%m/%d %H:%M:%S")   
|  table Time user uri   
| rex field=uri "(\/[^\/]+){5}\/(?[^\/]+)\/\w+(\/ui)*\/(?[^\/]+)\/(?

Marked and formatted the code in the query for you with the 101 010 button. The code is missing the end of the regex, and anything else after that.

Tags (2)
0 Karma

jkat54
SplunkTrust
SplunkTrust

You should be using the audit index in my opinion. Without that, you won’t be able to tell if someone modifies .conf files such as savedsearches.conf via the command line, etc.

0 Karma

Sukisen1981
Champion
0 Karma

JuhiSaxena
Explorer

Thanks for your response. However i have gone through the links you provided. The Splunk query i shared is working perfectly fine, but is reporting some extra entries which is when a user opens an alert [which shouldn't be reported ideally]. I need to know what is wrong with my existing query which may be causing this.

I only need the list of objects which are actually edited.

0 Karma

rvany
Communicator

The query you noted is syntactically incorrect (some parts are missing probably during copy&paste) - please provide the complete statement.

Additionally: maybe your search statement is not exactly what you want. Please check your NOT and OR parts of the first line. Are they the way you expect?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...