Search the audit log
Note:
To view audit logs in the desired format, structured or older - unstructured, in search results, apply sourcetype filters. To learn more, see Selecting a format of audit logs.
Use the Splunk platform to search your audit log to review and alert on administrative access:
- Run this search to audit user access:
CODE
index="_audit" action=log* action="login attempt" - Find the location from which users are accessing the Splunk platform instance:
CODE
index="_internal" | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M:%S.%Q") | table timestamp, user, clientip - Consider setting up a real-time alert on administrative user access:
See the Alerting Manual for more information about creating alerts.CODE
(index="_audit" action=log* action="login attempt") OR (index="_internal") user=admin
Additional resources:
- Create dashboards that collect and display your chosen searches, see Build Dashboards in Splunk Web in the Dashboards and Visualizations Manual.
- Copy an existing dashboard, like Users or Object modifications, and adjust it to your needs. See Edit dashboards.