How can I see who created users

New Member

We are using Splunk Authorization and I found 67 unexpected users in "Manager » Access controls » Users" list. Not only that; but they are all marked "Authentication system = Scripted".
I would like to know who created these users and when. I have tried with:
index=_audit action="edit_user" operation="create" (searching "All time").
But that only gives me the "normal" users - and not even all of them.

How can I see who created the rest of the users?

Tags (4)
0 Karma


The users that were added through scripted authentication were synchronized from the external scripted authentication system that you're using. For more information, see


Link referenced is no longer accessible. tried the click here anyway and that doesn't go anywhere. please correct or post answer that applies to the current version 5.x. thank you.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...