Splunk Enterprise Security

Create weekly report of user activity with (add, modify, delete) in Splunk with required fields username , host, activity type, date time

kthudi6
New Member

I did tried with below query where as i am getting action results edit but i am not able see what is edited like deep dive result. Basically i need to see if anyone in the roles edited, added and deleted something in splunk .

index=_audit user!=splunk-system-user user!="n/a" (action=edit OR action=create OR action=delete)
| table _time user, action info host

Result Table:
Date&time: aaaaaaaaa
user: AAAAAA
action: edit_deployment_client, edit_user(This result i need to see what is edited by user in deep dive result)
host: BBBBBBBB

Thanks in adavance

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...