Solved: How to track if assigned role has been changed for...

vin02 · ‎07-26-2018

Suppose one user "ABC" has tagged user role after some time someone his role has been changed as power or something else.
How to write query to track these role changes?

adonio · ‎07-26-2018

Hello there,

you can see the action, who did it and which user was modified like this:

index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted 
| stats values(user) as who_did_it values(object) as user_changed by _time

hope it helps

View solution in original post

adonio · ‎07-26-2018

Hello there,

you can see the action, who did it and which user was modified like this:

index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted 
| stats values(user) as who_did_it values(object) as user_changed by _time

hope it helps

PowerPacked · ‎07-26-2018

Hi @vin02

Splunk only writes about changes made to user & its roles,
But it dont write what changes were made.

index=_audit "action=edit_user" user=yourusername

Thanks

How to track if assigned role has been changed for any user?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to track if assigned role has been changed for any user?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!