I need to create a query to reveal who changed which objects on the search head cluster when (excluding modifications to personal items).
My query so far is:
index=_internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" method=POST host="sh_svr_*" NOT prefs NOT parser NOT intentionsparser NOT login NOT jobs NOT "/dispatch"|stats count values(uri) by user
Q1) Is there a better query to use?
Q2) If I continue down this path, how can I exclude results in the URI field where the user name is contained within the URI string?
↧