Getting Data In

Why does Linux Auditd App filter out root for the user lookup?

Splunk Employee
Splunk Employee


I have been using the Linux Auditd app, which has been great, but I noticed that the learnt_posix_identities  lookup filters out the root user.


[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type="USER_START" acct=* NOT acct=root NOT auid=0 terminal=/dev/tty* OR NOT addr=? | dedup auid | table auid acct | rename auid as _key | rename acct as user | outputlookup append=true learnt_posix_identities


A lot of my syscalls are coming from root and the dashboards display unknown user. I could just manually edit the KV Store to add root, however I wanted to understand why this filter was here to make sure I don't break something.



Labels (2)
0 Karma


The root user is the only truly universal user on any Linux machine so it's not in the learnt identities but the static identities lookup (, and they get merged together automatically. Best check your static identities lookup to ensure it has root in it.

Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...