Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.

Rocky31
Path Finder
‎12-28-2016 01:18 PM

we have like couple of admins, myself power, i want to create a alert any one of them made any changes. please share some commands, instead of links and docs.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎12-28-2016 02:37 PM

Since the definition of anyone made any changes is vague however general changing actions shall include create, edit, change, delete keywords. The way to find these keywords for users can be done as follows:

index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action

There might be some other keywords like embed, restart, update etc. which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin user.

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎12-28-2016 02:37 PM

Since the definition of anyone made any changes is vague however general changing actions shall include create, edit, change, delete keywords. The way to find these keywords for users can be done as follows:

index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action

There might be some other keywords like embed, restart, update etc. which you would want to consider depending on your need. This search then might be a good starting point to setup an alert on once logged in as an admin user.

Reply
Solved! Jump to solution

Rocky31
Path Finder
‎12-28-2016 02:54 PM

Thanks for you response buddy, can i create an alert for this command. every time they made change, alert comes up. do i need to change in command. Thanks.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎12-28-2016 11:41 PM 
index=_audit (action=*edit* OR action=*create* OR action=*delete* OR action=*change* OR action=*embed* OR action=*restart* OR action=*update*) user=admin| stats count by user, action

You have to have admin rights to search index=_audit. If you do, then above command can be saved as an alert.

Reply
Solved! Jump to solution

Rocky31
Path Finder
‎01-02-2017 06:09 PM

I really appreciate for you concern, i have question. i created alert using above logic, but here i want alert with information with who did trigger and what he trigger all information in email. can you please help me out of this.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-06-2017 08:13 AM

When you run this search, you have an option of Save As Alert. In the Alert Trigger Actions there is an option of Add Action > Send Email > When Triggered > Include hich can be used to send the results as attachments or inline as table.

Reply
Solved! Jump to solution

chandrasekharko
Path Finder
‎04-08-2019 08:46 AM

I created an alert and deleted an alert to try to see if the above search triggers an event. I do get results with the above query. But, not useful information like admin created an alert or deleted an alert and the alert name. Is there some query I am looking for. Is it possible on the first hand?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...