Security

What is N/A in the user field?

IT_Bullgod
Splunk Employee
Splunk Employee

I issued this search: index="_audit" | top user limit="1000" attempting to see the users on my system. Some of the output had "n/a" in the user field. What does this mean?

Tags (1)

Stephen_Sorkin
Splunk Employee
Splunk Employee

Splunk will record the user as "n/a" if there's no user associated with the particular log entry. An example of this is the recording of the completion of searches. This is a system wide activity and the user who invoked the search is recorded when the search started.

Similarly fschange-initiated audit entries cannot be tied to a particular user and are recorded as "n/a."

splunkettes
Path Finder

Do you know why audittrail shows "N/A" for user when a Splunk user creates a lookup file? For example, I created a lookup file testingLookupCreationAudit.csv using the outputlookup command and the logged event for it showed,

Audit:[timestamp=08-17-2020 15:02:32.078, user=n/a, action=add,path="/data/1/splunk/etc/apps/search/lookups/testingLookupCreationAudit.csv", isdir=0, size=117, gid=1001, uid=1001, modtime="Mon Aug 17 14:54:10 2020", mode="rw-------", hash=][n/a]

Why didn't Splunk log my user name in this event?

Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...