Dear Splunkers :
I try to search "index=_audit" to audit config-change events of our Splunk servers.
(For Example : who create indexes , create users , add inputs .... etc )
But I only got a lot of "action=edit_user, info=granted" events, for example :
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=list][n/a]
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
I can't understand the information form _audit index,
Do I miss something ?
Or if there are other ways to audit the config-change events in Splunk ?
Regards,
... View more