<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to Audit Splunk User Activities? in Splunk Cloud Platform</title>
    <link>https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-Audit-Splunk-User-Activities/m-p/654716#M2448</link>
    <description>&lt;P&gt;Dear Splunk Community,&lt;/P&gt;
&lt;P&gt;I have tried somehow to monitor user activities with Splunk. Through the documentation I found that I can analyze it through index=_audit, however, in these records there are activities that I have not carried out directly.&lt;/P&gt;
&lt;P&gt;For example, if I apply the query: "index=_audit user=my.user | stats count by user,action" in the last 24 hours, the result will show actions like: edit_local_apps, search, list_workload_pools, list_health, quota, edit_roles, edit_roles_grantable, etc. And of those, the only activity that I performed directly was "search".&lt;/P&gt;
&lt;P&gt;Perhaps you know how to discriminate from all the audited actions those that I carried out directly?&lt;/P&gt;</description>
    <pubDate>Thu, 17 Aug 2023 18:11:16 GMT</pubDate>
    <dc:creator>keperez</dc:creator>
    <dc:date>2023-08-17T18:11:16Z</dc:date>
    <item>
      <title>How to Audit Splunk User Activities?</title>
      <link>https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-Audit-Splunk-User-Activities/m-p/654716#M2448</link>
      <description>&lt;P&gt;Dear Splunk Community,&lt;/P&gt;
&lt;P&gt;I have tried somehow to monitor user activities with Splunk. Through the documentation I found that I can analyze it through index=_audit, however, in these records there are activities that I have not carried out directly.&lt;/P&gt;
&lt;P&gt;For example, if I apply the query: "index=_audit user=my.user | stats count by user,action" in the last 24 hours, the result will show actions like: edit_local_apps, search, list_workload_pools, list_health, quota, edit_roles, edit_roles_grantable, etc. And of those, the only activity that I performed directly was "search".&lt;/P&gt;
&lt;P&gt;Perhaps you know how to discriminate from all the audited actions those that I carried out directly?&lt;/P&gt;</description>
      <pubDate>Thu, 17 Aug 2023 18:11:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-Audit-Splunk-User-Activities/m-p/654716#M2448</guid>
      <dc:creator>keperez</dc:creator>
      <dc:date>2023-08-17T18:11:16Z</dc:date>
    </item>
  </channel>
</rss>

