Splunk search for Splunk account creations, modifications and deletions

Copy
index=_audit user=admin action=edit_user operation=* | stats list(_time) as Time, list(operation) as operation, list(object) as object by user | eval Time=strftime(Time,"%m/%d/%Y %H:%M:%S")
This search will output a table showing all Splunk account creations, modifications and deletions.
0 comments

Category:

General Splunk


Tags:

user management audit

Search Commands:

Sign in or Register to submit a comment