Great ! Thank you !
I modified this query to get the real names :
index=_audit action=edit_user operation=create
| join user type=left [| rest /services/authentication/users splunk_server=local | fields realname, title | rename realname as user_name, title as user]
| join object type=left [| rest /services/authentication/users splunk_server=local | fields realname, title | rename realname as edited_user_name, title as object]
| sort - timestamp
| eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| convert timeformat="%d/%m/%Y %H:%M:%S.%3N" ctime(timestamp)
| rename user as user_id, object as edited_user_id
| table user_id user_name edited_user_id edited_user_name timestamp
... View more