Refine your search:

What is N/A in the user field?

1
2

I issued this search: index="_audit" | top user limit="1000" attempting to see the users on my system. Some of the output had "n/a" in the user field. What does this mean?

asked 07 Jun '10, 18:51

IT%20Bullgod's gravatar image

IT Bullgod
655
accept rate: 20%

One Answer:
oldestnewestmost voted
2

Splunk will record the user as "n/a" if there's no user associated with the particular log entry. An example of this is the recording of the completion of searches. This is a system wide activity and the user who invoked the search is recorded when the search started.

Similarly fschange-initiated audit entries cannot be tied to a particular user and are recorded as "n/a."

link

answered 07 Jun '10, 20:14

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
8.9k510
accept rate: 52%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×90

Asked: 07 Jun '10, 18:51

Seen: 1,255 times

Last updated: 07 Jun '10, 20:14

Related questions

User settings reset after running a saved search

How to add the user who is performing a search as an event field

Can i give user defiened text to the pie grahps ?

Capability to assign to user role to view and add data inputs

report users activities

User and Admin manual

Restarting Splunk in the serverclass.conf

WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user

Configuration & Effect of Extended Session Idle Timeouts

Copyright © 2005-2012 Splunk Inc. All rights reserved.