Splunk Search

When Was The User Account Created


Hi, I wonder whether someone may be able to help me please.

I'm using the query below to list the current user accounts:

|rest /services/authentication/users splunk_server=local 
 |fields realname
 |rename realname as user
 |table user

Could someone tell me please is there a way to determine when the account was created.

I have tried:

|rest /services/authentication/users splunk_server=local 

But there is no such field that I can see, only when the account was last updated.

I just wonder whether someone may be able to point me in the right direction as to where I may find this information.

Many thanks and kind regards


0 Karma
1 Solution


I don't think this info is available. If you have a look at your .conf and according .meta files, you can see that this data is not recorded, only last modtime. I doubt the rest endpoint looks any place other than there.

You could search the index _audit for the earliest occurence of user names.

View solution in original post

0 Karma


Hi, for those of you who may be interested, I think I may have found a solution to this using the query below:

index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp

I hope this helps.

Many thanks and kind regards



Great ! Thank you !

I modified this query to get the real names :

index=_audit action=edit_user operation=create
| join user type=left [| rest /services/authentication/users splunk_server=local | fields realname, title | rename realname as user_name, title as user]
| join object type=left [| rest /services/authentication/users splunk_server=local | fields realname, title | rename realname as edited_user_name, title as object]
| sort - timestamp
| eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
| convert timeformat="%d/%m/%Y %H:%M:%S.%3N" ctime(timestamp)
| rename user as user_id, object as edited_user_id
| table user_id user_name edited_user_id edited_user_name timestamp
0 Karma


I don't think this info is available. If you have a look at your .conf and according .meta files, you can see that this data is not recorded, only last modtime. I doubt the rest endpoint looks any place other than there.

You could search the index _audit for the earliest occurence of user names.

0 Karma


Hi @jeffland, that's a shame, but thank you for taking the time to come back to me with this.

Kind regards


0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...