ok Thankyou for confirming. My required output : 1) TimeOfTheAction, DashboardName, UserWhoModifiedit 2) TimeOfTheAction, SearchName, UserWhoModifiedit Trials 1(ForAlerts) : index=_internal sourcetype=splunkd_conf data.asset_uri{}=savedsearches "data.optype_desc"="*" | table _time data.optype_desc Using the above I am not able to find the User who modified the saved search. Trials 2 (For Dashboards) :index=_internal sourcetype=splunkd_ui_access method=post ui/views (edit OR editxml) | table req_time,file,user | rename file as dashboard req_time as editTime Above doesn't give any results Trial 3 ( For Dashboards) : index=_internal sourcetype=splunkd_ui_access method=post ui/views NOT StreamedSearch | table req_time,file,user | rename file as dashboard req_time as editTime Is above correct one?
... View more