Hello,
Looking for a way to monitor certain operational changes in Splunk like:
- A new sourcetype has been created.
- A new Input has been created.
- An input was removed/deleted.
- An Alert or Report was created or deleted.
You should use version control for any conf changes made to your indexers, search heads, deployment servers, etc.. You can also leverage the internal log to answer the alert/report modification
index=_audit
What event will tell me a new index was created in Splunk Cloud?
Yeah, this is available in the audit index too. Please accept the answer if this answered your questions
index=_audit action=indexes_edit