Splunk provides customers flexibility and ease to leverage their logs by creating knowledge objects such as reports ,alerts etc.Also using power of splunk configuration files we were able to create a robust and scalable environment to meet our splunk needs.

 In big organisation multiple users create multiple knowledge objects or create myriad of  configuration files which splunk had no track of.Since those are exposed in the environment, any team member can modify/change the objects .This modification may put the customer in a situation were the outcome doesn’t match as expected result.

 To overcome this challenge, splunk 9.0 has introduced a new  feature  called “_configtracker”.The log files which comes from the configuration_change log  tracks the configuration as well as creation,updation and deletion changes of the knowledge objects.Users having access to the new internal index=”_configtracker” are able to view logs related to changes in the knowledge objects or config files.

 When we search index=”_configtracker”  in our splunk 9.0 instance  we can see the results

As discussed above the log files comes from source named  configuration_change log  with sourctype=splunk_configuration_change

The following path/conf files are being monitored under Configuration Change tracker:

If you want a particular file or path not to be monitored you can blacklist the same in the server.conf  stanza named as config_change_tracker under deny_list

Here we have ignored a savedsearches.conf in the clocify app in both the default as well as local folder to be monitored

Lets create a new saved search for report called “Weekly report on Users” who are logged in the particular host and see the changes tracked  by config_tracker

index=_audit NOT (user="n/a" OR user="splunk-system-user" OR user="-1" OR "scheduler__nobody__search" OR "nobody") action="login attempt" | chart count over host by user useother=f| addtotals

Now if we query  the index=”_configtracker” we are able to see the recently added saved searches  as shown below

If you  expand  it by clicking on the “+” icon you can see the stanza name which we have given and also the new as well as old value of the query we have defined as mentioned in the image below


Now lets add some changes in our query and see the logs in the _configtracker

Here we have changed the action=edit_server in our report and saved it

Now if we see  the index=”_configtracker” we are able to see the recently modified  saved searches  as shown below

As mentioned, the old value ie action=”login attempt” is been replaced with new value action=”edit_server” for the stanza name /report we have created

If you still have any doubt regarding Configuration tracker in splunk 9.0, Feel free to Ask your Doubts in the Comment Section below ,give your ratings and Don’t Forget to Follow us on 👍 Social Networks.| Happy Splunking 😉