Suppose one user "ABC" has tagged user role after some time someone his role has been changed as power or something else.
How to write query to track these role changes?
you can see the action, who did it and which user was modified like this:
index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted
| stats values(user) as who_did_it values(object) as user_changed by _time
hope it helps
View solution in original post
Splunk only writes about changes made to user & its roles,
But it dont write what changes were made.
index=_audit "action=edit_user" user=yourusername