Monitor changes to self storage settings
You might want to monitor changes to self storage settings to ensure that the self storage locations and settings meet your company's requirements over time. When you make changes to self storage settings, Splunk Cloud logs the activity to the audit.log. You can search these log entries in Splunk Web by running the following search.
index="_audit"Note that Splunk Cloud Platform cannot monitor the settings for the self storage bucket on AWS or GCP. For information about monitoring your self storage buckets, see the following:
- AWS: Access the Amazon S3 documentation and search for "Monitoring Tools".
- GCP: Access the Google Cloud Storage documentation and search for Working with Buckets and Cloud Monitoring.
The following examples apply to AWS and GCP and show the log entries available for monitoring your self storage settings.
Log entry for a new self storage location
Splunk Cloud Platform logs the activity when you create a new self storage location. For example:
10-01-2017 11:28:26.180 -0700 INFO AuditLogger - Audit:[timestamp=10-01-2017 11:28:26.180, user=splunk-system-user, action=self_storage_enabled, info="Self storage enabled for this index.", index="dynamic_data_sample" ][n/a]
You can search these log entries in Splunk Web by running the following search.
index="_audit" action=self_storage_createLog entry when you remove a self storage location
Splunk Cloud Platform logs the activity when you remove a self storage location. For example:
10-01-2017 11:33:46.180 -0700 INFO AuditLogger - Audit:[timestamp=10-01-2017 11:33:46.180, user=splunk-system-user, action=self_storage_disabled, info="Self storage disabled for this index.", index="dynamic_data_sample" ][n/a]
You can search these log entries in Splunk Web by running the following search.
index="_audit" action=self_storage_disabledLog entry when you change settings for a self storage location
Splunk Cloud Platform logs the activity when you change the settings for a self storage location. For example:
09-25-2017 21:14:21.190 -0700 INFO AuditLogger - Audit:[timestamp=09-25-2017 21:14:21.190, user=splunk-system-user, action=self_storage_edit, info="A setting that affects data retention was changed.", index="dynamic_data_sample", setting="frozenTimePeriodInSecs", old_value="440", new_value="5000" ][n/a]
The following table shows settings that might change.
| Field | Description |
|---|---|
| info="Archiver index setting changed." | Notification that you successfully changed self storage settings for the specified index. |
| index="dynamic_data_sample" | Name of the index for which self storage settings were modified. |
| setting="frozenTimePeriodInSecs" | The number of seconds before an event is removed from an index. This value is specified in days when you configure index settings. |
| old_value="440" | Value before the setting was updated. |
| new_value="5000" | Value after the setting has been updated. |
You can search these log entries in Splunk Web by running the following search.
index="_audit" action=self_storage_edit