index=_audit action=edit_user operation=create |rename object as user |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") |convert timeformat="%d/%b/%Y" ctime(timestamp) |table user timestamp If i use above query i get only part of the users ( 17 users ) with username and account created date , but not whole list of users ( 400 users) with username and account created date. Is there any restriction in splunk , why is it only pulling part of the users list and not complete ?
... View more