It is unclear for me why there isn't any easy and comfortable way to search all the objects that have been changed on Splunk.
It is very basic and this that admins need, in order to be in control over the environment.
I have this query, that i find on an answer here, and added some changes:
index=_internal (sourcetype=splunkd_ui_access OR sourcetype=splunkd_access)
( method=POST OR method=DELETE)
( user!=splunk-system-user user!=- )
( uri_path=/servicesNS/* OR uri_path=/en-US/splunkd/__raw/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!="/servicesNS/*/mobile_access*" uri_path!="*/ui/prefs*" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/jobs/*/control" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/ui/ui-tour*")
| replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
| replace "/en-US/splunkd/__raw*" with "*" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS(/[^\/]+){3}/(?[^\/]+)/(?[^\/]+)"
| eval object_name = urldecode( object_name )
| convert ctime(_time) timeformat="%m/%d/%Y %H:%M:%S"
| table _time, user, object_name, object_type, activity
| dedup _time, user, object_name
But it is not quite good, as there seem to be a lot of false positive stats.
Can someone please help me accomplish this?
*** I am not familiar with the fields of the internal logs and i couldn't find any description or details about it, so it can be useful too.
Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?
Thanks !
↧