Splunk queries for artifact attachments, add or download

Document ID : KB000092664
Last Modified Date : 26/04/2018
Show Technical Document Details
Question:
How can one query Splunk to see who uploaded or downloaded an attachment?
Answer:

The following can be used to determine who downloaded an attachment, when and the attachment name note that the subID and project OOID can be added to the query to limit the results.  Also limiting the time frame through Splunk presets is recommended as well;

Downloaded attachments
attachment | spath subscriptionId | search subscriptionId=<ADD subID HERE> | spath projectOid | search projectOid=<ADD project OOID HERE>| spath "javaRequestSpan.httpMethod" | search "javaRequestSpan.httpMethod"=GET | table userId,_time,javaRequestSpan.uri

The following is for uploaded attachments (add subID and project OOID as needed) 

Upload attachments
Attachments/add | spath subscriptionId | search subscriptionId=<ADD subID HERE> | spath "javaRequestSpan.httpMethod" | search "javaRequestSpan.httpMethod"=POST | spath projectOid | search projectOid=<ADD project OOID HERE> | table userId,  _time,javaRequestSpan.uri

Export a csv file of the results by clicking on the down arrow to the right;

splunk screen shot