All Apps and Add-ons

How to get a list of index that an user can access

Path Finder


I have users with mutiple roles and some roles have Inheritance from other roles.

Is it an easy way to found all indexes readable by an user ?



Tags (1)
0 Karma

| rest /services/authentication/current-context splunk_server=local 
| rename username AS username roles AS role 
| mvexpand role 
| fields realname username role email 
| join type=outer role 
    [ rest /services/authorization/roles splunk_server=local 
    | rename title AS role 
    | eval role_indexes=mvjoin(srchIndexesAllowed,";") 
    | eval imported_indexes=mvjoin(imported_srchIndexesAllowed,";") 
    | eval allowed_indexes=mvappend(imported_indexes, role_indexes) 
    | fields role allowed_indexes role_indexes imported_indexes 
    | rex mode=sed field=allowed_indexes "s/;/\n/g"
| join type=outer role 
    [ rest /services/admin/LDAP-groups splunk_server=local 
    | mvexpand roles 
    | fields roles, strategy,title 
    | rename roles as role 
    | rename title as ADGroup] 
| table realname username email role allowed_indexes,ADGroup,strategy
0 Karma

Splunk Employee
Splunk Employee

Check out Homepage App for Splunk. It provides a search that does this, and also provides the sourcetypes and one click drilldown into search to make exploring easier for users. Depending on your use case this may provide helpful searches to build on

- MattyMo
0 Karma


If you're using ldap and have a large organisation you may not have all users available in in the users endpoint. Additionally If you have complicated your environment you might have nested splunk roles.

The following search will take account of nested groups, and show the mapped ldap groups for your roles. This assumes you're running this on your DMC host - change the values of splunk_server_group as required (for example, if you're running the search on a single instance set up you would use splunk_server=local instead)

| rest splunk_server_group=dmc_group_search_head /services/authorization/roles 
| fields title srchIndexesAllowed splunk_server 
| mvexpand srchIndexesAllowed 
| stats values(title) as roles by splunk_server srchIndexesAllowed 
| mvexpand roles 
| $indexes$
| rename srchIndexesAllowed as index 
| join type=left max=0 roles splunk_server 
    [| rest splunk_server_group=dmc_group_search_head /services/admin/LDAP-groups 
    | fields title roles splunk_server 
    | where match(roles,".+") 
| join type=left max=0 roles splunk_server 
    [| rest splunk_server_group=dmc_group_search_head /services/authorization/roles 
    | fields title imported_roles splunk_server 
    | mvexpand imported_roles 
    | rename title as roles] 
| join type=left max=0 splunk_server imported_roles 
    [| rest splunk_server_group=dmc_group_search_head /services/authorization/roles 
    | fields title imported_roles splunk_server 
    | mvexpand imported_roles 
    | rename imported_roles as inherits 
    | rename title as imported_roles] 
| stats values(roles) as roles1 values(imported_roles) as inherit1 values(inherits) as inherit2 by splunk_server title 
| eval roles=mvappend(roles1,inherit1,inherit2) 
| fields splunk_server title roles 
| rename title as group 
| mvexpand roles 
| stats values(group) as groups by splunk_server roles]
| stats values(groups) as ad_groups values(roles) as splunk_roles by splunk_server index 
| makemv delim=" " ad_groups 
| eval ad_groups=mvdedup(ad_groups)

Note the token value $indexes$ on line 6 - that's where you should filter for which index you want to see. We have a multivalue picker that fills out a token like so where match(srchIndexesAllowed,"^\*|^value1$|^value2$|...") but you can put any filter you like there

This search will also show any roles that have all-non-internal granted for srchIndexesAllowed.

0 Karma


er this doesn't quite do what the OP asked, in that its from an index perspective rather than a user one

0 Karma


See martin's great response here:

Here is what he provided.

 | rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
 | join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
 | makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
 | fillnull value=" "
 | mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
 | join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
 | join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
 | stats values(*) as * by user
 | foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
 | fields - Indexes*
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...