I issued this search: index="_audit" | top user limit="1000" attempting to see the users on my system. Some of the output had "n/a" in the user field. What does this mean?
asked 07 Jun '10, 18:51
Splunk will record the user as "n/a" if there's no user associated with the particular log entry. An example of this is the recording of the completion of searches. This is a system wide activity and the user who invoked the search is recorded when the search started.
Similarly fschange-initiated audit entries cannot be tied to a particular user and are recorded as "n/a."
answered 07 Jun '10, 20:14
Stephen Sorkin ♦