Splunk Admin Account Activity – Role Modifications _internal john117 1 0 This Splunk query shows when the admin account performed Create or Modify Roles actions: index="_audit" action=edit_roles operation=* | table _time user operation object* 1 index="_audit" action=edit_roles operation=* | table _time user operation object* Share This: Tagged: _auditadmininternalsplunk on splunk