Track the Users who Delete Knowledge Objects in Splunk

Track the Users who Delete Knowledge Objects in Splunk

Have you ever thought of catching the person who deleted your precious and valuable dashboards , reports and alerts from Splunk ?

Yes !! It is very well possible. In this blog we have come up with such tricks which would help organizations to find out the person who is doing these kind of fishy activities.

Read the below process and use SPL magic tricks in order to track such activities.

If any of the knowledge objects are deleted from Splunk then its information will be stored in Splunk’s by default logs such as _internal , _audit, etc.

Below is the query which will help you to find out which user has deleted “Dashboard(s)” , ”Alert(s)” and “Report(s)” from Splunk Search Head.

index=_internal “DELETE”
| rex field=_raw mode=sed “s/\%20//g”
| rex field=_raw “.*\/(?<AName>\w+)(\?output_mode\=json?|\s+)\w+.*”
| stats values(AName) as “DeletedKnowledgeObjects” by user





In the above query _internal is the index name. We have searched “DELETE” string from the incoming logs. Now we are getting only those events where “DELETE” OR “delete” string is present. We have used rex command and written sed-expression with mode argument to suppress %20. In splunk %20 indicates space.

Now, we have used rex command to extract field from the raw log. AName is the extracted field name. In AName field we have taken all names of “Report(s)”, “Alert(s)” and “Dashboard(s)” those have been deleted by someone.

In the pre-pattern .* indicates all or everything and also suppresses “/” sign. In extracted-pattern \w+ indicates characters. In the post-pattern we have used two pattern.Then we have suppressed “?” sign and written “output_mode” which is a portion of log. Again we have suppressed “=” symbol and written “json” which is also a portion of log. After that ? indicates or 1 time repetition. After that we have used  “|”  for doing the operation of OR operator. Then \s+ is used for suppressing space. Inside the parenthesis we have used two post pattern using “|” as a OR operator. At last \w+ is used for suppressing words or characters and .* indicates all or everything.

We have created a multi-value field  by values function with stats command and also we have used by clause to group by the values of AName  field with respect to user. Here user is an existing field name in _internal index.

So “DeletedKnowledgeObjects” is the new multi-value field name where all the names of “Dashboard(s)”, “Report(s)” and “Alert(s)” and in the user field all user name(s) will be shown.

Hope you can understand how to find the users information who have deleted knowledge objects from Splunk. So from now think twice before deleting something from Splunk.

Hope this has helped you in achieving the below requirement without fail !!

Track the Users who Delete Knowledge Objects in Splunk


You can also know about :  How To Pass Multiple Values From Multi-select Input Option Using Single Argument Macro In Splunk ( Usage Of |s Filter With Tokens )

Happy Splunking !!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.