We got a request from one of our groups to be notified if any of their searches / alerts were modified, by who and if it is possible to
revert back the changes.
I assume we can use results of "index=_internal sourcetype=splunkd_ui_access method=POST...." to get search/alert name and user
who ran POST , but is it possible to find out what changes were made and revert them?
↧