Returns audit trail information that is stored in the local audit index. This command also validates signed audit events while checking for gaps and tampering.
Example 1: View information in the "audit" index.
index="_audit" | audit
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the audit command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.1, 6.5.0, 6.5.1612, 6.6.0, 6.6.1, 6.6.3, 7.0.0, 7.0.2, 7.0.3