Webex Admin Audit Events Input¶
The Webex Admin Audit Events input is used to fetch the data from Admin Audit Events endpoint. It allows users to retrieve organization-wide audit logs all over the account.
Please Note: Due to the API behavior, the selected time range cannot be more than a year. Therefore, If you want to obtain the audit logs that happened more than one year ago, you MUST fill in both Start Time and End Time, and ensure that the range does not exceed one year.
The input uses checkpointing to avoid ingesting duplicate data. After the initial run, the script will save the latest audit event created time as the checkpoint, and will be used as the Start Time (advancing by one millisecond) for the next run.
Configure Webex Admin Audit Events input through Splunk Web¶
- In the Inputs tab select Create New Input.
- Choose Webex Admin Audit Events.
- Enter the information in the related fields using the following input parameters table.
Input Parameters¶
Each attribute in the following table corresponds to a field in Splunk Web.
| Input name | Corresponding field in Splunk Web | Description |
|---|---|---|
name |
Name | A unique name for your input. |
interval |
Interval | Time interval of input in seconds. |
index |
Index | The index in which the data should be stored. The default is default. |
account |
Global Account | The Webex account created in the Configuration tab. |
start_time |
Start Time | Required, Start date and time (inclusive) in the format YYYY-MM-DDTHH:MM:SSZ, example:2023-01-01T00:00:00Z. If you leave the End Time blank, Start Time MUST be within one year from the current time. |
end_time |
End Time | Optional, End date and time in the format YYYY-Mon-DDTHH:MM:SSZ.(Optional), example:2023-02-01T00:00:00Z. End Time must be after the Start Time. |