Splunk search for Splunk User Creations, Modifications, Deletions

Copy
index=_audit action=edit_user operation=create |rename object as user |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") |convert timeformat="%d/%b/%Y" ctime(timestamp) |table user timestamp
Search to track creations, modifications, and deletions of Splunk user accounts.
0 comments

Category:

Admin


Tags:

Admin user _audit audit account management

Search Commands:

Sign in or Register to submit a comment