Hi Team,
Recently we have observed few of our scheduled searches has been disabled(also summary indexing disabled). Is it possible to have an audit for the users who has done the changes?
Hi ,
You can try this also
| rest /services/saved/searches | where is_scheduled=1
I'm guessing that would be in the _audit index? Maybe check out What Splunk Logs About Itself