action.delete | |
Action has been deleted
| Deleting an Action |
alert.clear-error | |
Alert error has been cleared
| Editing an Alert |
alert.create | |
Alert has been created
| Creating Alerts |
alert.delete | |
Alert has been deleted
| Deleting Automated Alerts |
alert.disable | |
Alert has been disabled
| Disabling an Alert |
alert.enable | |
Alert has been enabled
| Disabling an Alert |
alert.update | |
Alert has been updated
| Editing Alerts |
baseaudit | |
Generic auditing entry
| |
bucket-storage.update | |
Bucket storage configuration has been updated
| |
bucket.storage.target.delete | |
Bucket storage target has been deleted
| |
cachepolicy.delete | |
Data caching policy has been deleted
| removeRepoCachePolicy() |
cachepolicy.update | |
Cache policy has been updated
| setRepoCachePolicy() |
config.settings | |
Configuration settings have been changed
| Configuration Settings |
dashboard.create | |
A dashboard has been created
| Creating Dashboards and Widgets |
dashboard.delete | |
A dashboard has been deleted
| Main Operations |
dashboard.link.create | |
A shared dashboard link has been created
| Sharing Dashboards |
dashboard.link.delete | |
A shared dashboard link has been deleted
| Disabling Access to Shared Dashboards |
dashboard.link.update | |
A shared dashboard link has been updated
| Disabling Access to Shared Dashboards |
dashboard.update | |
A dashboard has been edited
| Editing Dashboards |
datasource.autoshard | |
Datasource autosharding has started
| Configure Auto-Sharding for High-Volume Data Sources |
datasource.autoshard | |
Datasource autosharding has started
| Configure Auto-Sharding for High-Volume Data Sources |
datasource.delete | |
A datasource has been deleted
| |
datasource.max-autoshard-count | |
DATASOURCE_MAX_AUTOSHARD_COUNT
| Configure Auto-Sharding for High-Volume Data Sources |
datasource.stop-autoshard | |
Autosharding for a datasource has stopped
| Configure Auto-Sharding for High-Volume Data Sources |
dataspace.block | |
Ingest has been paused
| Disabling Ingestion |
dataspace.datatype | |
Repository datatype has been updated
| |
dataspace.delete | |
A repository has been deleted
| Delete a Repository or View |
dataspace.kind | |
Dataspace kind has been updated
| |
dataspace.limit-id | |
Repository limit has been updated
| Repository and View Settings |
dataspace.max-ingest-request-size | |
Repository max ingest request size has been changed
| |
dataspace.query | |
Query has been executed
| |
dataspace.retention | |
Retention settings have been changed
| Data Retention |
dataspace.settings | |
Repository settings have been updated
| Repository and View Settings |
dataspace.taggroupingrules | |
Repository tag grouping rules have been updated
| Tag Grouping |
dataspace.unblock | |
The ingest pause has been cleared
| Disabling Ingestion |
delete.events | |
Events have been deleted
| |
dynamicconfig.set | |
A dynamic configuration value has been updated
| Dynamic Configuration |
email-action.create | |
An email action has been created
| Action Type: Email |
email-action.update | |
An email action has been updated
| Action Type: Email |
eventforwarder.delete | |
An event forwarder has been deleted
| Event Forwarders |
eventforwarder.disable | |
An event forwarder has been disabled
| Event Forwarders |
eventforwarder.enable | |
An event forwarder has been enabled
| Event Forwarders |
eventforwarder.kafka.create | |
An event forwarder has been created
| Event Forwarders |
eventforwarder.kafka.update | |
An event forwarder has been updated
| Event Forwarders |
eventforwardingrule.add | |
An event forwarding rule has been added
| Event Forwarding Rules |
eventforwardingrule.delete | |
An event forwarding rule has been deleted
| Event Forwarding Rules |
eventforwardingrule.update | |
An event forwarding rule has been updated
| Event Forwarding Rules |
fdrfeed-controls.update | |
Falcon Data Replicator feed controls have been created
| Ingesting FDR Data into a Repository |
fdrfeed.create | |
Falcon Data Replicator feed configurations have been created
| Ingesting FDR Data into a Repository |
fdrfeed.delete | |
Falcon Data Replicator feed configurations have been deleted
| Ingesting FDR Data into a Repository |
fdrfeed.update | |
Falcon Data Replicator feed configurations have been updated
| Ingesting FDR Data into a Repository |
featureflag.global.update | |
A feature flag has been updated at the cluster level
| Enabling & Disabling Feature Flags, Syntax |
featureflag.org.update | |
A feature flag has been updated at the organization level
| Enabling & Disabling Feature Flags, Syntax |
featureflag.user.update | |
A feature flag has been updated at the user level
| Enabling & Disabling Feature Flags, Syntax |
fieldaliasing.schema.create | |
A field aliasing schemas has been created
| Configuring Field Aliasing |
fieldaliasing.schema.delete | |
A field aliasing schema has been deleted
| Configuring Field Aliasing |
fieldaliasing.schema.disable-org | |
A field aliasing schema in an organization has been disabled
| Configuring Field Aliasing |
fieldaliasing.schema.disable-view | |
Field aliasing on a view has been disabled
| Configuring Field Aliasing |
fieldaliasing.schema.enable-org | |
A field aliasing schemas has been enabled on an organization
| Configuring Field Aliasing |
fieldaliasing.schema.enable-views | |
A field aliasing schema has been enabled on a view
| Configuring Field Aliasing |
fieldaliasing.schema.update | |
A field aliasing schema has been updated
| Configuring Field Aliasing |
filterAlert.clear-error | |
A filter alert error condition has been cleared
| Monitoring Alerts |
filterAlert.create | |
A filter alerter has been created
| Creating Alerts |
filterAlert.delete | |
A filter alert has been deleted
| Deleting an Alert |
filterAlert.disable | |
A filter alert has been disabled
| Disabling an Alert |
filterAlert.enable | |
A filter alert has been enabled
| Disabling an Alert |
filterAlert.update | |
A filter alert has been updated
| Editing Alerts |
fleet.collectors.unenroll | |
Fleet collectors have been unenrolled
| Unenroll LogScale Collector |
flushingstate.org.clear | | | |
flushingstate.org.update | | | |
group.membership.change | |
A user has been added or removed in a group
| Group Memberships |
group.organizationrole.assigned | |
An organization role has been assigned to a group
| Assigning Roles to Groups |
group.organizationrole.unassigned | | | Assigning Roles to Groups |
group.role.assigned | |
A role has been assigned to a group
| Assigning Roles to Groups |
group.role.unassigned | |
A role has been removed from a group
| Assigning Roles to Groups |
group.systemrole.assigned | |
The system role has been added to a group
| Managing Groups |
group.systemrole.unassigned | |
The system role has been removed from a group
| Managing Groups |
hashedtokens.change | |
An API token has been changed
| API Tokens |
hashedtokens.rotate | |
An API token has been rotated
| API Tokens |
humio-repo-action.create | |
A LogScale repo action has been created
| Action Type: Falcon LogScale Repository |
humio-repo-action.update | |
A LogScale repo action has been updated
| Action Type: Falcon LogScale Repository |
identityProvider | |
Identity providers have been changed
| Authentication & Identity Providers |
ingest.block | | | |
ingestconsumer.force-release | | | |
ingestfeed.create | |
An ingest feed has been created
| Setting up a New Ingest Feed |
ingestfeed.delete | |
An ingest feed has been deleted
| Deleting an Ingest Feed |
ingestfeed.reset-quota | | | |
ingestfeed.update | |
An ingest feed has been updated
| Editing an Ingest Feed Configuration |
ingestlistener.create | |
An ingest listener has been created
| Ingest Listeners |
ingestlistener.delete | |
Ingest listeners have been deleted
| Ingest Listeners |
ingestlistener.update | |
Ingest listeners have been updated
| Ingest Listeners |
iocaccess.update | | | |
ipfilters.change | |
An IP filter has been updated
| Editing an IP Filter |
login.bridge.allowed.users | |
Third party authentication allowed users has been updated
| |
login.bridge.change | |
Third party authentication method has been changed
| |
login.bridge.delete | |
Third party authentication method has been deleted
| |
login.bridge.generate.login | |
Third party authentication user login request has been generated
| |
login.bridge.terms.change | |
Third-party authentication has been updated
| |
no-op-action.create | | | |
no-op-action.update | | | |
notifications.create | |
A notification has been created
| |
notifications.delete | |
A notification has been deleted
| |
notifications.user.change | |
Notification user has been updated
| |
notifications.user.create | |
Notification user has been created
| |
notifications.user.delete | |
Notification user has been deleted
| |
ops-genie-action.create | |
OpsGenie action has been created
| Action Type: OpsGenie |
ops-genie-action.update | |
OpsGenie action has been updated
| Action Type: OpsGenie |
org.datasources.import | | | |
org.metadata.import | | | |
org.metadata.import.rollback | | | |
org.segments.import | | | |
organizations | |
Organization settings have been changed
| |
organizations.batch | | | |
organizations.buckets.readonly | | | |
organizations.cid.set | | | |
organizations.cross.change | | | |
organizations.link.create | | | |
organizations.link.unlink | | | |
organizations.link.unlink.child | | | |
organizations.queryhandles.ownership-batch.update | |
Query ownership handles have been batch updated
| Updating Organization Ownership for Existing Queries |
organizations.securitypolicies.actions.update | |
The security policy for Actions has been updated
| Changing Actions Security Policies |
organizations.securitypolicies.shared-dashboards.update | |
Shared dashboard security policies have been updated
| Dashboard Security Policies |
organizations.securitypolicies.tokens.update | |
Security policy for API tokens has been updated
| API Token Security Policies |
organizations.selected.batch | | | |
organizations.subscription.change | | | |
organizations.transfer.user | |
A user has been moved between organizations
| |
organizations.update.foreignkey | | | |
organizations.users | |
Organization users have been updated
| |
organizations.users.batch | |
Users within an organization have been batch updated
| |
orgtransfer-job-status.create | | | |
orgtransfer-job-status.delete | | | |
package.entity.create | |
An item (query, dashboard, widget) within a package has been
changed
| |
package.entity.delete | |
An item (query, dashboard, widget) within a package has been
deleted
| |
package.error | |
A package error has been triggered
| |
package.install | |
A package has been installed
| Installing & Updating Packages |
package.uninstall | |
A package has been uninstalled
| Installing & Updating Packages |
package.update | |
A package has been updated
| Installing & Updating Packages |
pager-duty-action.create | |
A PagerDuty action has been created
| Action Type: PagerDuty |
pager-duty-action.update | |
A PagerDuty action has been updated
| Action Type: PagerDuty |
parser.create | |
A parser has been created
| Creating a Parser |
parser.delete | |
A parser has been deleted
| Creating a Parser |
parser.update | |
A parser has been updated
| |
query-blocklist.add | |
Query blocklist has been created
| Blocking Queries |
query-blocklist.remove | |
Query blocklist has been removed
| Blocking Queries |
query-quota.set | |
Query quota setting has been updated
| Query Quotas |
query.stop-all-queries | |
All queries have been stopped
| stopAllQueries() |
query.stop-exporting-queries | |
All Streaming (live) queries have been stopped
| stopStreamingQueries() |
query.stop-static-queries | |
All historical queries have been stopped
| stopHistoricalQueries() |
readonly.dashboard.accessed | |
A read-only dashboard has been accessed
| Sharing Dashboards |
readonly.dashboard.update | |
A read-only dashboard has been updated
| |
redirectingest.org.clear | | | |
redirectingest.org.update | | | |
repo.users | |
User access to a repo or view has been changed
| |
repository.create | |
A repository has been created
| Creating a Repository or View |
role.objectaction.change | |
Role has been changed
| |
role.organizationpermissions.change | |
Role organization permissions have been changed
| Organization Administration Permissions, Managing Roles |
role.systempermissions.change | |
Role system permissions have been change
| Cluster Management Permissions, Managing Roles |
role.viewpermissions.change | |
Role view or repository permissions have been change
| Repository & View Permissions, Managing Roles |
s3-archiving.configure | | | |
s3-archiving.disable | | | |
s3-archiving.enable | | | |
s3-archiving.restart | | | |
saved-query.create | |
A saved query has been created
| User Functions (Saved Searches) |
saved-query.delete | |
A saved query has been deleted
| User Functions (Saved Searches) |
saved-query.update | |
A saved query has been updated
| User Functions (Saved Searches) |
scheduled-search.clear-error | |
A scheduled search error condition has been cleared
| Scheduled Searches |
scheduled-search.create | |
A scheduled search has been created
| Creating a Scheduled Search |
scheduled-search.delete | |
A scheduled search has been deleted
| Scheduled Searches |
scheduled-search.update | |
A scheduled search has been updated
| Scheduled Searches |
segment.delete | |
A segment has been deleted
| |
sessions.revoke | |
A user session has been revoked
| revokeSession(), Managing Sessions within an Organization |
slack-action.update | |
Slack action has been updated
| Action Type: Slack |
slack-post-message-action.create | |
Slack message action has been created
| Action Type: Slack |
slack-post-message-action.update | |
Slack message action has been updated
| Action Type: Slack |
subdomain.remove | |
Subdomains settings have been removed
| |
subdomain.set | |
Subdomains settings have been updated
| |
system-repository.create | |
LogScale system repository has been created
| |
tokens | |
API or security tokens have been updated
| API Tokens |
transfer.ingest-redirection | | | |
transfer.metadata | | | |
transfer.segment | | | |
transfer.snapshot | |
TRANSFER_SNAPSHOT
| |
transfercheckmark.org.update | | | |
transfercheckmarks.org.update | | | |
transferjob.added | | | |
transferjob.cancelled | | | |
transferstate.org.update | | | |
upload-file-action.create | |
Update file action has been created
| Action Type: Upload File |
upload-file-action.update | |
Update file action has been updated
| Action Type: Upload File |
uploaded-file.create | |
A lookup file has been created
| Creating a File, UploadFileAction |
uploaded-file.delete | |
An uploaded file has been deleted
| Exporting or Deleting a File |
uploaded-file.update | |
An uploaded file has been updated
| UploadFileAction , Lookup Files |
user.accept-standard-mandatory-dod-notice-and-consent | |
User has accepted the usage notice
| |
user.accept-terms | |
User has accepted the terms
| |
user.invite-accepted | |
User has accepted an invite
| Managing Users |
user.invited | |
A user has been invited to access the cluster
| Managing Users |
user.profile | |
User settings have been changed
| Managing Users |
user.roles.change | |
The roles assigned to a user have been changed
| Managing Users |
user.signin | |
User has signed in
| |
user.signout | |
User has signed out (manually or automatically)
| |
victor-ops-action.create | |
A VictorOps action has been created
| Action Type: VictorOps (Splunk On-Call) |
victor-ops-action.update | |
A VictorOps action has been updated
| Action Type: VictorOps (Splunk On-Call) |
view.delete | |
A repository or view has been deleted
| |
view.rename | |
A repository or view has been renamed
| |
view.restore | |
VIEW_RESTORE
| |
viewinteraction.create | | | |
viewinteraction.delete | | | |
viewinteraction.update | | | |
webhook-action.create | |
A webhook action has been created
| Action Type: Webhooks |
webhook-action.update | |
A webhook action has been updated
| Action Type: Webhooks |