https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176614#M14756 <P>It didn't work for me either but got me down the right path. Unless I was doing something wrong, I had to rename user to title to join it to the rest data. I also added the timestamp and limited it to the role I'm interested in. The results look accurate. Using Splunk 6 by the way (didn't mention it earlier)</P> <P>index=_audit action="login attempt" | eval last=max(timestamp) | dedup user | rename user as title | join title [| rest /services/authentication/users] | search roles=<EM>cerner</EM> | table title roles last | sort title</P> <P>Thanks for your help!!</P> Thu, 12 Dec 2013 19:58:52 GMT maciep 2013-12-12T19:58:52Z https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176610#M14752 <P>Is there anyway to list users who have logged into Splunk along with the Splunk roles they are mapped to? I can get the first part with the search below, but I don't know how to tie their roles to the results.</P> <P>index=_audit action="login attempt" | dedup user | sort user | table user</P> Thu, 12 Dec 2013 15:38:04 GMT https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176610#M14752 maciep 2013-12-12T15:38:04Z https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176611#M14753 <P>Try this ... index=_audit action="login attempt" | dedup user | join [| rest /services/authentication/users ] | table user roles</P> Thu, 12 Dec 2013 19:15:06 GMT https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176611#M14753 rroberts 2013-12-12T19:15:06Z https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176612#M14754 <P>This is super clever, but it doesn't work for me- I correctly get a list of logged-in users, but with the roles all incorrectly as 'user'. I modified your search slightly and it seems to work for me-</P> <P>index=_audit action="login attempt" | dedup user | join user [| rest /services/authentication/users | rename title as user ] | table user, roles</P> Thu, 12 Dec 2013 19:33:49 GMT https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176612#M14754 zenmoto 2013-12-12T19:33:49Z https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176613#M14755 <P>Glad you found it useful!</P> Thu, 12 Dec 2013 19:37:23 GMT https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176613#M14755 rroberts 2013-12-12T19:37:23Z https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176614#M14756 <P>It didn't work for me either but got me down the right path. Unless I was doing something wrong, I had to rename user to title to join it to the rest data. I also added the timestamp and limited it to the role I'm interested in. The results look accurate. Using Splunk 6 by the way (didn't mention it earlier)</P> <P>index=_audit action="login attempt" | eval last=max(timestamp) | dedup user | rename user as title | join title [| rest /services/authentication/users] | search roles=<EM>cerner</EM> | table title roles last | sort title</P> <P>Thanks for your help!!</P> Thu, 12 Dec 2013 19:58:52 GMT https://community.splunk.com/t5/Security/Search-for-Splunk-logon-and-role-info/m-p/176614#M14756 maciep 2013-12-12T19:58:52Z