Getting Data In

Why does Linux Auditd App filter out root for the user lookup?

Splunk Employee
Splunk Employee


I have been using the Linux Auditd app, which has been great, but I noticed that the learnt_posix_identities  lookup filters out the root user.


[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type="USER_START" acct=* NOT acct=root NOT auid=0 terminal=/dev/tty* OR NOT addr=? | dedup auid | table auid acct | rename auid as _key | rename acct as user | outputlookup append=true learnt_posix_identities


A lot of my syscalls are coming from root and the dashboards display unknown user. I could just manually edit the KV Store to add root, however I wanted to understand why this filter was here to make sure I don't break something.



Labels (2)
0 Karma


The root user is the only truly universal user on any Linux machine so it's not in the learnt identities but the static identities lookup (, and they get merged together automatically. Best check your static identities lookup to ensure it has root in it.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...