The following search will show you what capabilities each user has used within the timeframe that you set:
index=_audit user=* action=* | dedup user action | stats list(action) AS actions by user
Thanks for looking into this.
I had a look at this earlier today. I haven't had much luck. There doesn't appear to be a straightforward way of achieving this format of mapping.
Makes sense. I will have a go when I get a minute.
Thank you for your answer. It kind of helps. I guess the real requirement behind my question is the following: The owner of some data that is in Splunk wants to know who had access to "his" data (=index) at a specific point in time and if the person has read only or also delete priviledges & what priviledges have been used. So you answer helps in showing what priviledges have been used. But I would also like to have a index to role to user mapping ... does that make sense?