How can I see who created users

New Member

We are using Splunk Authorization and I found 67 unexpected users in "Manager » Access controls » Users" list. Not only that; but they are all marked "Authentication system = Scripted".
I would like to know who created these users and when. I have tried with:
index=_audit action="edit_user" operation="create" (searching "All time").
But that only gives me the "normal" users - and not even all of them.

How can I see who created the rest of the users?

Tags (4)
0 Karma


The users that were added through scripted authentication were synchronized from the external scripted authentication system that you're using. For more information, see


Link referenced is no longer accessible. tried the click here anyway and that doesn't go anywhere. please correct or post answer that applies to the current version 5.x. thank you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...