[Splunk] 스플렁크 작업 이력 검색하기

참고) https://community.splunk.com/t5/Dashboards-Visualizations/How-can-I-determine-who-modified-a-dashboard/td-p/267069?_ga=2.151378491.363618113.1664206755-613200826.1640812860&_gl=1*5rpph6*_ga*NjEzMjAwODI2LjE2NDA4MTI4NjA.*_gid*MzYzNjE4MTEzLjE2NjQyMDY3NTU. 

 

어떤 계정으로 언제 작업했는지 확인할 수 있다. 

 

index=_internal sourcetype=splunkd_access
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- )
( uri_path=/servicesNS/* uri_path!="*/user-prefs/* uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!-/servicesNS/*/mobile_access* )
| replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributes_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
| where mvcount( split( uri_path ,  "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)"
| eval obejct_name = urldecode( object_name )
| table _time, user, obejct_name, object_type, activity