topic Re: Report on users & roles in Splunk Search

Report on users & roles

chris — Thu, 08 Sep 2011 07:34:18 GMT

Is there an easy way I can list & export all users that have a certain role or that have access to a certain index or a certain capability?

It would be nice if I could do something like:

| metadata type=users

index=_users role=xy

or any other method would be ok

Re: Report on users & roles

Ant1D — Tue, 13 Sep 2011 10:14:55 GMT

The following search will show you what capabilities each user has used within the timeframe that you set:

index=_audit user=* action=* | dedup user action | stats list(action) AS actions by user

Re: Report on users & roles

chris — Wed, 14 Sep 2011 09:25:49 GMT

Thank you for your answer. It kind of helps. I guess the real requirement behind my question is the following: The owner of some data that is in Splunk wants to know who had access to "his" data (=index) at a specific point in time and if the person has read only or also delete priviledges & what priviledges have been used. So you answer helps in showing what priviledges have been used. But I would also like to have a index to role to user mapping ... does that make sense?

Re: Report on users & roles

Ant1D — Wed, 14 Sep 2011 13:00:10 GMT

Makes sense. I will have a go when I get a minute.

Re: Report on users & roles

Ant1D — Wed, 21 Sep 2011 10:41:46 GMT

I had a look at this earlier today. I haven't had much luck. There doesn't appear to be a straightforward way of achieving this format of mapping.

Re: Report on users & roles

chris — Wed, 21 Sep 2011 16:02:04 GMT

Thanks for looking into this.