Hi,
I would like to see roles of created users not roles of user which created account, is there a way to to this?
index=_audit action=edit_user operation=create
| eval timestamp_formated=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| convert timeformat="%d/%b/%Y" ctime(timestamp_formated)
| eval timestamp = strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| join user
[| rest /services/authentication/users
| fields title roles
| rename title AS user ]
| rename object as created_user, user as created_by
| stats values(roles) as user_roles values(timestamp) as timestamp values(host) as created_on by timestamp_formated created_user created_by
| sort - timestamp
| fields - timestamp
↧