Greetings,
I am looking for a way to output previous search parameters. I am running:
index=_audit action=search "splunk username"
The results are finding searches performed by that user but are not displaying the actual search themselves. Is there a way I can show this? Specifically, I want to see if anyone has piped to delete.
As a second question, a role with only delete_by_keyword was created which may have been used. What permission allows my power users to create roles? Is there a way to see who created that role and when? Finally, can I tell what users have been in that role?
Thanks.