topic Which users use the REST API? in Security https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509714#M11619 <P>We are planning to move to SAML SSO soon. One of the drawbacks of SAML is that you cannot authenticate on the API any longer. Up to this point, any user defined to use splunkweb has had access to the API. How can I find out who will be impacted by yanking API access?</P><P>&nbsp;</P> Fri, 17 Jul 2020 13:57:17 GMT twinspop 2020-07-17T13:57:17Z Which users use the REST API? https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509714#M11619 <P>We are planning to move to SAML SSO soon. One of the drawbacks of SAML is that you cannot authenticate on the API any longer. Up to this point, any user defined to use splunkweb has had access to the API. How can I find out who will be impacted by yanking API access?</P><P>&nbsp;</P> Fri, 17 Jul 2020 13:57:17 GMT https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509714#M11619 twinspop 2020-07-17T13:57:17Z Re: Which users use the REST API? https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509735#M11620 <P>I'd start with this query.</P><LI-CODE lang="markup">index=_internal source="*splunkd_access.log" NOT (user="-" OR user="splunk-system-user") | dedup user | table user</LI-CODE> Fri, 17 Jul 2020 15:31:05 GMT https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509735#M11620 richgalloway 2020-07-17T15:31:05Z Re: Which users use the REST API? https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509740#M11621 <P>The catches both API and splunkweb users. I'm not clear how to isolate them</P> Fri, 17 Jul 2020 15:47:41 GMT https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/509740#M11621 twinspop 2020-07-17T15:47:41Z Re: Which users use the REST API? https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/510158#M11628 <P>Try:</P><P>SearchHeadLevel - platform_stats.audit metrics users</P><P><A href="https://github.com/gjanders/SplunkAdmins/blob/master/default/savedsearches.conf" target="_self">SplunkAdmins GitHub </A>&nbsp;or <A href="https://splunkbase.splunk.com/app/3796/" target="_self">Alerts for Splunk Admins (splunkbase)</A></P> Tue, 21 Jul 2020 04:39:43 GMT https://community.splunk.com/t5/Security/Which-users-use-the-REST-API/m-p/510158#M11628 gjanders 2020-07-21T04:39:43Z