https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462190#M10752 <P>it did not work for me, there were users that appeared with no type (Probably because they no longer exist)</P> Wed, 05 Feb 2020 16:30:47 GMT rsaude 2020-02-05T16:30:47Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462186#M10748 <P>Hey everyone, </P> <P>Is there a way to check for which kind of authentication method is being used by splunk in a log? (Splunk itself, SAML or LDAP)</P> <P>Thanks in advanced</P> Wed, 05 Feb 2020 15:13:59 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462186#M10748 rsaude 2020-02-05T15:13:59Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462187#M10749 <P>As far as I know that in splunk logs those information are not available.</P> Wed, 05 Feb 2020 16:09:47 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462187#M10749 harsmarvania57 2020-02-05T16:09:47Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462188#M10750 <P>i feard that, in any case if anyone knows a work around feel free to share please</P> Wed, 05 Feb 2020 16:11:50 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462188#M10750 rsaude 2020-02-05T16:11:50Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462189#M10751 <P>Try below search (It is ugly because of join) but I think it will give you a result.</P> <PRE><CODE>index=_audit host=&lt;your host&gt; action="login attempt" | fields user, action, info, src | join type=left user [| rest /services/authentication/users splunk_server=local f=title f=type | rename title as user | fields user, type ] | table user, type, action, info, src </CODE></PRE> Wed, 05 Feb 2020 16:26:43 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462189#M10751 harsmarvania57 2020-02-05T16:26:43Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462190#M10752 <P>it did not work for me, there were users that appeared with no type (Probably because they no longer exist)</P> Wed, 05 Feb 2020 16:30:47 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462190#M10752 rsaude 2020-02-05T16:30:47Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462191#M10753 <P>I managed to get it working for me, but thank you for your help anyway </P> Wed, 05 Feb 2020 16:33:02 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462191#M10753 rsaude 2020-02-05T16:33:02Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462192#M10754 <P>With the app <A href="https://splunkbase.splunk.com/app/1866/">https://splunkbase.splunk.com/app/1866/</A><BR /> i was able to get one of the dashboards which displayed what i wanted,</P> <P>Name: Users by authentication type<BR /> Code: <CODE>| rest splunk_server=local /services/authentication/users | stats count by type</CODE></P> Wed, 05 Feb 2020 16:33:43 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462192#M10754 rsaude 2020-02-05T16:33:43Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462193#M10755 <P>It's not 100% correct since it wasn't in a log but since i got it to work i'll call it a win.</P> Wed, 05 Feb 2020 16:34:56 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462193#M10755 rsaude 2020-02-05T16:34:56Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462194#M10756 <P>Yes, query which I have provided will give you type if that user exist in splunk, it it does not exist then it will give you blank.</P> Wed, 05 Feb 2020 16:38:13 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462194#M10756 harsmarvania57 2020-02-05T16:38:13Z https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462195#M10757 <P>Welcome... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 05 Feb 2020 16:38:36 GMT https://community.splunk.com/t5/Security/authentication-method-in-a-query-on-splunk/m-p/462195#M10757 harsmarvania57 2020-02-05T16:38:36Z