topic Re: How can I search a list of users with all the roles and indexes assigned? in Splunk Search

How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 18:37:31 GMT

I found this search

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

But I have a can_delete role, but it is not listed

Re: How can I search a list of users with all the roles and indexes assigned?

alacercogitatus — Tue, 30 Jun 2015 18:57:41 GMT

You can try this:

| rest /services/authentication/users |rename title as User, roles as Role |stats count by  User Role |fields - count| appendcols [ |rest /services/authorization/roles |table title srchIndexesAllowed|rename title as Role]|stats values(Role) as Role values(srchIndexesAllowed) as Indexes by User

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 19:04:24 GMT

But your search only showed the admin role and indexes only show (_*) and not all the indexes

Re: How can I search a list of users with all the roles and indexes assigned?

alacercogitatus — Tue, 30 Jun 2015 19:24:15 GMT

Try it again. If you see *, that means All Indexes.

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 19:29:28 GMT

your search showed like this

User Role Indexes admin admin * _*

does not showed all indexes name

Re: How can I search a list of users with all the roles and indexes assigned?

alacercogitatus — Tue, 30 Jun 2015 19:46:23 GMT

It won't. That's not how the data is returned. If the role has access to individual indexes, they will show. It is straight from the manager gui page.

Re: How can I search a list of users with all the roles and indexes assigned?

martin_mueller — Tue, 30 Jun 2015 21:37:16 GMT

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

Re: How can I search a list of users with all the roles and indexes assigned?

martin_mueller — Tue, 30 Jun 2015 21:37:17 GMT

Don't combine searches, just take the one from my answer.

Re: How can I search a list of users with all the roles and indexes assigned?

martin_mueller — Tue, 30 Jun 2015 21:37:17 GMT

I see... minor issue with mvexpand and null values, I've replaced the search.

Re: How can I search a list of users with all the roles and indexes assigned?

martin_mueller — Tue, 30 Jun 2015 21:37:17 GMT

I've added a slightly more verbose search that will expand * and _* into a list of indexes, give that a shot.

Re: How can I search a list of users with all the roles and indexes assigned?

martin_mueller — Tue, 30 Jun 2015 21:37:17 GMT

So... you want to expand * and _* into a list of all non-internal / internal indexes?

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 21:37:17 GMT

Martin,
This new one you post, does not show the can_delete role, it showed all index and other roles

 | rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 21:37:17 GMT

Thanks Martin! I try the new update search. Now it does not list the can_delete role when combined the search I posted with your search

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Mon, 28 Sep 2020 20:25:53 GMT

Yes , I want it to expand and list all indexes. From the search I posted . It showed like this
index_name Role User
_audit admin xyz
_blocksignature admin xyz
_internal admin xyz
_internal new_user_role xyz
_introspection admin xyz
_thefishbucket admin xyz
christine admin xyz
christine test_role xyz
christine_new admin xyz

but I do not have can_delete role

your query looks like this
user roles srchIndexesAllowed srchIndexesDefault
xyz admin * _* main os

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 21:37:17 GMT

Thanks! Your worked partially. It showed all the role but not all indexes. It does not showed index like _fishbucket, _audit , _blocksignature , _introspection and user created indexes

Re: How can I search a list of users with all the roles and indexes assigned?

cdo_splunk — Tue, 30 Jun 2015 21:46:32 GMT

thanks Martin, It worked now :<). You are the best