What is N/A in the user field?

IT_Bullgod · ‎06-07-2010

I issued this search: index="_audit" | top user limit="1000" attempting to see the users on my system. Some of the output had "n/a" in the user field. What does this mean?

Stephen_Sorkin · ‎06-07-2010

Splunk will record the user as "n/a" if there's no user associated with the particular log entry. An example of this is the recording of the completion of searches. This is a system wide activity and the user who invoked the search is recorded when the search started.

Similarly fschange-initiated audit entries cannot be tied to a particular user and are recorded as "n/a."

splunkettes · ‎08-17-2020

Do you know why audittrail shows "N/A" for user when a Splunk user creates a lookup file? For example, I created a lookup file testingLookupCreationAudit.csv using the outputlookup command and the logged event for it showed,

Audit:[timestamp=08-17-2020 15:02:32.078, user=n/a, action=add,path="/data/1/splunk/etc/apps/search/lookups/testingLookupCreationAudit.csv", isdir=0, size=117, gid=1001, uid=1001, modtime="Mon Aug 17 14:54:10 2020", mode="rw-------", hash=][n/a]

Why didn't Splunk log my user name in this event?

What is N/A in the user field?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!