<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to create a query for user accesses and role indexes? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433480#M75771</link>
    <description>&lt;P&gt;Hi Folks,  I'm trying to create a query where it shows users logged in and indexes belonged or use (one of the two options...).  Something like:  LAST_LOGIN_DATE, USER, REAL_NAME, INDEX_NAME.   But sadly I cannot retrieve the indexes on some of them and sometimes repeat them on the result.  I created a query using some other examples on the web without success:  Could you help me?  Thank you so much!&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| rest /services/authentication/users 
| search type=Splunk
| table title roles realname 
| rename title as user 
| rename roles as title 
| mvexpand title  
| join type=left max=0 title [
    | rest /services/authorization/roles splunk_server=local 
    | table title srchInd* 
    | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) 
    | table title indexes 
    | mvexpand indexes 
    | dedup title indexes 
    | eval indexes_orig=indexes 
    | join indexes max=0 type=left [
        | rest /services/data/indexes 
        | stats count by title 
        | table title
        | eval indexes=if(match(title,"^_"),"_*","*") 
        | rename title as indexes_new]
        | eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) 
        | table title indexes] 
| join user [
    search index=_audit action="login attempt" info=succeeded 
    | dedup user 
    | table user timestamp]
| dedup user timestamp
| table timestamp user realname indexes
| sort - timestamp
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Tue, 29 Sep 2020 19:47:55 GMT</pubDate>
    <dc:creator>hermeschu</dc:creator>
    <dc:date>2020-09-29T19:47:55Z</dc:date>
    <item>
      <title>How to create a query for user accesses and role indexes?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433480#M75771</link>
      <description>&lt;P&gt;Hi Folks,  I'm trying to create a query where it shows users logged in and indexes belonged or use (one of the two options...).  Something like:  LAST_LOGIN_DATE, USER, REAL_NAME, INDEX_NAME.   But sadly I cannot retrieve the indexes on some of them and sometimes repeat them on the result.  I created a query using some other examples on the web without success:  Could you help me?  Thank you so much!&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| rest /services/authentication/users 
| search type=Splunk
| table title roles realname 
| rename title as user 
| rename roles as title 
| mvexpand title  
| join type=left max=0 title [
    | rest /services/authorization/roles splunk_server=local 
    | table title srchInd* 
    | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) 
    | table title indexes 
    | mvexpand indexes 
    | dedup title indexes 
    | eval indexes_orig=indexes 
    | join indexes max=0 type=left [
        | rest /services/data/indexes 
        | stats count by title 
        | table title
        | eval indexes=if(match(title,"^_"),"_*","*") 
        | rename title as indexes_new]
        | eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) 
        | table title indexes] 
| join user [
    search index=_audit action="login attempt" info=succeeded 
    | dedup user 
    | table user timestamp]
| dedup user timestamp
| table timestamp user realname indexes
| sort - timestamp
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 29 Sep 2020 19:47:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433480#M75771</guid>
      <dc:creator>hermeschu</dc:creator>
      <dc:date>2020-09-29T19:47:55Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a query for user accesses and role indexes?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433481#M75772</link>
      <description>&lt;P&gt;If you're talking about access permissions a user (or role) may have for some index.  Try this approach (I've modified some of your base code, but I think you were going on the right way...):&lt;/P&gt;

&lt;P&gt;| rest /services/authentication/users &lt;BR /&gt;
| search type=Splunk &lt;BR /&gt;
| table title roles realname &lt;BR /&gt;
| rename title as user &lt;BR /&gt;
| rename roles as title&lt;BR /&gt;
| mvexpand title&lt;BR /&gt;
| join type=left max=0 title &lt;BR /&gt;
    [| rest /services/authorization/roles&lt;BR /&gt;
    | table title srchIndexesAllowed&lt;BR /&gt;
    | eval indexes=coalesce(srchIndexesAllowed,srchIndexesDefault)&lt;BR /&gt;
    | table title indexes]&lt;BR /&gt;
| join user &lt;BR /&gt;
    [ search index=_audit action="login attempt" info=succeeded &lt;BR /&gt;
    | dedup user &lt;BR /&gt;
    | table user timestamp]&lt;BR /&gt;
| table timestamp user realname indexes &lt;BR /&gt;
| sort - timestamp&lt;/P&gt;

&lt;P&gt;Regards&lt;/P&gt;</description>
      <pubDate>Fri, 01 Jun 2018 18:33:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433481#M75772</guid>
      <dc:creator>larmesto</dc:creator>
      <dc:date>2018-06-01T18:33:57Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a query for user accesses and role indexes?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433482#M75773</link>
      <description>&lt;P&gt;That worked fine!  Thank you! &lt;/P&gt;</description>
      <pubDate>Fri, 01 Jun 2018 19:27:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-query-for-user-accesses-and-role-indexes/m-p/433482#M75773</guid>
      <dc:creator>hermeschu</dc:creator>
      <dc:date>2018-06-01T19:27:10Z</dc:date>
    </item>
  </channel>
</rss>

