Returns audit trail information that is stored in the local audit index. This command also validates signed audit events while checking for gaps and tampering.
Example 1: View information in the "audit" index.
index="_audit" | audit
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the audit command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.2, 7.0.0, 7.0.3, 7.0.5, 7.1.3