Splunk Admin Account Activity – Role Modifications

This Splunk query shows when the admin account performed Create or Modify Roles actions:

index="_audit" action=edit_roles operation=* | table _time user operation object*

1	index="_audit" action=edit_roles operation=* \| table _time user operation object*

Splunk Query Repository