All Apps and Add-ons

Retrieve Add-on input account details using SPL in Splunk

Varun18
Loves-to-Learn

Hi Team,

Is there a direct way to retrieve a list of usernames or accounts configured in Splunk Add-ons (such as those used in modular inputs, scripted inputs, or API connections) using Splunk SPL?

Regards,
VK

Labels (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @Varun18 

Its not easy to get a list of all the usernames, but passwords is easy with the /services/storage/passwords endpoint.

However you might have some success with the following search I've put together. It uses a map command so be careful - it gathers the passwords then attempts to reconstruct the stanza from the config file it originated in!

| rest /services/storage/passwords 
| search clear_password!="``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``" 
| table clear_password realm username 
| rex field=realm ".+\#(?<app>[^\#]+)\#(?<configPath>.+)" 
| table app configPath username * 
| rex field=username "(?<stripUsername>[^\`]+)" 
| stats latest(*) AS *, list(clear_password) as concat_clear_password by configPath username app 
| eval restPath="/servicesNS/-/-/".configPath."/".stripUsername 
| map maxsearches=100 search="
| rest $restPath$ 
| foreach * [| eval secretField=mvappend(secretField,IF('<<FIELD>>'==\"******\",\"<<FIELD>>\",null()))]
            | eval clear_password=\"$concat_clear_password$\"
                    | eval configPath=\"$configPath$\"
                    | eval app=\"$app$\"
                    | fields - eai:* author disabled published updated splunk_server
" 
| rex field=configPath "configs/conf-(?<configFileName>[^\/]+)" 
| eval isJson=IF(json_valid(clear_password),"isJson","NotJson") 
| tojson 
| eval jsonKeys=json_array_to_mv(json_keys(_raw)) 
| eval stanza="==".app."/".configFileName.".conf== 

[".title."]
" 
| foreach jsonKeys mode=multivalue 
    [| eval stanza=stanza.IF(<<ITEM>> IN ("id","secretField","title","configFileName","configPath","isJson","clear_password","app"),"",<<ITEM>>."=".coalesce(json_extract(clear_password,<<ITEM>>),json_extract(_raw,<<ITEM>>))."
")] 
| table stanza

livehybrid_0-1747218656889.png

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Varun18 ,

no it isn't any direct way.

The only workaround, if you have a Deployment Server, is to create (on this server) a monitor stanza that reads all the conf files in the apps in $SPLUNK_HOME/etc/deployment-apps and sends them into an index.

In this way, you can access these information by SPL.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...