https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/607913#M211371 <P>I'm trying to create a table that displays the following result</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%">Appname</TD> <TD width="20%">Amount of users with read access</TD> <TD width="20%">amount of users that have accessed in the last 2 months</TD> <TD width="20%">Open Access</TD> <TD width="20%">Protected Access</TD> </TR> <TR> <TD width="20%">AppX</TD> <TD width="20%">&lt;number&gt;</TD> <TD width="20%">&lt;number&gt;</TD> <TD width="20%">O</TD> <TD width="20%">P</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I know that I can use the rest api for most (maybe all) of this.</P> <P>The following tells me which apps there are and with what roles a user has read access.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| rest /servicesNS/-/-/apps/local splunk_server="local" | fields label, eai:acl.perms.read | rename eai:acl.perms.read as roles | sort by label | search label!=_searchhead_config</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The following tells me what users there are and what roles they have.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| rest /services/authentication/users splunk_server=local | fields title roles | mvexpand roles | rename title as userName</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>What I want to do now is to combine those and by the roles, match which users have access to a certain app, and than count how many there are.</P> <P>I'm a newbie and I've tried all kinds of things with join, append, appendcols but it never gives me the results I need. Can someone point me in the right direction?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 02 Aug 2022 15:21:01 GMT SevenDos 2022-08-02T15:21:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/607913#M211371 <P>I'm trying to create a table that displays the following result</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%">Appname</TD> <TD width="20%">Amount of users with read access</TD> <TD width="20%">amount of users that have accessed in the last 2 months</TD> <TD width="20%">Open Access</TD> <TD width="20%">Protected Access</TD> </TR> <TR> <TD width="20%">AppX</TD> <TD width="20%">&lt;number&gt;</TD> <TD width="20%">&lt;number&gt;</TD> <TD width="20%">O</TD> <TD width="20%">P</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I know that I can use the rest api for most (maybe all) of this.</P> <P>The following tells me which apps there are and with what roles a user has read access.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| rest /servicesNS/-/-/apps/local splunk_server="local" | fields label, eai:acl.perms.read | rename eai:acl.perms.read as roles | sort by label | search label!=_searchhead_config</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The following tells me what users there are and what roles they have.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| rest /services/authentication/users splunk_server=local | fields title roles | mvexpand roles | rename title as userName</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>What I want to do now is to combine those and by the roles, match which users have access to a certain app, and than count how many there are.</P> <P>I'm a newbie and I've tried all kinds of things with join, append, appendcols but it never gives me the results I need. Can someone point me in the right direction?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 02 Aug 2022 15:21:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/607913#M211371 SevenDos 2022-08-02T15:21:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/607981#M211400 <P>Here's one way to combine those searches.&nbsp; I'm sure there are other possibilities.&nbsp; It depends on what the output needs to look like.</P><P>&nbsp;</P><LI-CODE lang="markup">| rest /servicesNS/-/-/apps/local splunk_server="local" | fields label, eai:acl.perms.read | rename eai:acl.perms.read as roles | mvexpand roles | sort by label | search label!=_searchhead_config | append [| rest /services/authentication/users splunk_server=local | fields title roles | eval roles=mvappend (roles, "*") | mvexpand roles | rename title as userName] | stats values(*) as * by roles | table userName roles label</LI-CODE><P>&nbsp;</P> Wed, 03 Aug 2022 13:28:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/607981#M211400 richgalloway 2022-08-03T13:28:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/608035#M211413 <P>Thanks for the response. What is happening in line 14? Is that an accidental paste that I should remove, or does there have to be an additional join there? Looks like the former as this is where the search starts with. Removing it tells me there is no roles.</P><P>I would want the output to look like:</P><TABLE border="1" width="63.99810606060606%"><TBODY><TR><TD width="33.333333333333336%">label (name of the app)</TD><TD width="33.333333333333336%">amount of users that have read access to this app</TD></TR></TBODY></TABLE> Wed, 03 Aug 2022 08:28:46 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/608035#M211413 SevenDos 2022-08-03T08:28:46Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/608082#M211430 <P>Sorry about the copy-paste error.&nbsp; I've fixed it.</P><P>The current query produces a list of apps, the roles with access to the apps, and users with those roles.</P> Wed, 03 Aug 2022 13:30:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-search-that-displays-the-amount-of-users-on/m-p/608082#M211430 richgalloway 2022-08-03T13:30:55Z