To access the Audit Trail dashboards, take these steps:

1. In the Splunk Web, from the Apps Panel, select Audit Trail to open the app.
2. In the Apps bar, select the Users tab or the Object Modifications tab depending on the activities you want to analyze.

The Audit Trail dashboards display search results showing the following activities:

• Users. Here, you can view user activities, like logins, failed logins, searches, and admin actions.
• Object Modifications. Here, you can view creations, updates, and deletions of knowledge objects, like saved searches, dashboards, reports, lookups, and field extractions.

To customize the dashboards, filter the search results by, for example, actions, context of the action, and time range.

Use the Splunk platform to search your audit log to review and alert on administrative access:

1. Run this search to audit user access:

   index="_audit" action=log*  action="login attempt"

2. Find the location from which users are accessing the Splunk platform instance:

   index="_internal" | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M:%S.%Q") | table timestamp, user, clientip

3. Consider setting up a real time alert on administrative user access:

   (index="_audit" action=log* action="login attempt") OR (index="_internal") user=admin

   See the Alerting Manual for more information about creating alerts.
4. You can also do the following:
   • Create dashboards that collect and display your chosen searches, see Build Dashboards in Splunk Web in the Dashboards and Visualizations Manual.
   • Copy an existing dashboard, like Users or Object modifications, and adjust it to your needs. See Edit dashboards.