Hello there,
you can see the action, who did it and which user was modified like this:
index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted
| stats values(user) as who_did_it values(object) as user_changed by _time
hope it helps
Hello there,
you can see the action, who did it and which user was modified like this:
index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted
| stats values(user) as who_did_it values(object) as user_changed by _time
hope it helps
Hi @vin02
Splunk only writes about changes made to user & its roles,
But it dont write what changes were made.
index=_audit "action=edit_user" user=yourusername
Thanks