@richgalloway thank you for the quick response.  I'm new to Splunk and need to set up an email notification.  I've been working through documentation for several days now, and I'm still not getting this done.

Would you please tell me how to accomplish this?

1) Verify the user add/update/delete/activate events are indexed in Splunk.

Your problem is not well-defined.

Splunk can only search (and alert based on) events that are in splunk. It's not clear whether you are trying to find added/changed/whatever _Splunk users_ (which should be at least partially achievable, but approach to this task can differ based on whether you have 9.x Splunk version which has _configtracker index or earlier one) or if you want to find in your Splunk data info about user accounts from other systems. In the latter case you need to have the information from those systems ingested into Splunk first in order to be able to find anything.

Hi

you also must have working email sending feature configured on your splunk. You could test this with command sendemail like

index=*
| head 1
| stats count
| sendemail to="<your email address>" subject="Testing Splunk email sending" 

If this send email to you, then email sending is configured and in use. Otherwise your Splunk admin needs to configure it with your organisation email operator.

After that you could use email action on Alert configuration.

r. Ismo 

Just remember that in order to use sendemail command you need the schedule_search capability (yes, it's a bit counterintuitive)