Splunk Enterprise Security

Create weekly report of user activity with (add, modify, delete) in Splunk with required fields username , host, activity type, date time

kthudi6
New Member

I did tried with below query where as i am getting action results edit but i am not able see what is edited like deep dive result. Basically i need to see if anyone in the roles edited, added and deleted something in splunk .

index=_audit user!=splunk-system-user user!="n/a" (action=edit OR action=create OR action=delete)
| table _time user, action info host

Result Table:
Date&time: aaaaaaaaa
user: AAAAAA
action: edit_deployment_client, edit_user(This result i need to see what is edited by user in deep dive result)
host: BBBBBBBB

Thanks in adavance

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...