Hi @Varun18
Its not easy to get a list of all the usernames, but passwords is easy with the /services/storage/passwords endpoint.
However you might have some success with the following search I've put together. It uses a map command so be careful - it gathers the passwords then attempts to reconstruct the stanza from the config file it originated in!
| rest /services/storage/passwords
| search clear_password!="``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``"
| table clear_password realm username
| rex field=realm ".+\#(?<app>[^\#]+)\#(?<configPath>.+)"
| table app configPath username *
| rex field=username "(?<stripUsername>[^\`]+)"
| stats latest(*) AS *, list(clear_password) as concat_clear_password by configPath username app
| eval restPath="/servicesNS/-/-/".configPath."/".stripUsername
| map maxsearches=100 search="
| rest $restPath$
| foreach * [| eval secretField=mvappend(secretField,IF('<<FIELD>>'==\"******\",\"<<FIELD>>\",null()))]
| eval clear_password=\"$concat_clear_password$\"
| eval configPath=\"$configPath$\"
| eval app=\"$app$\"
| fields - eai:* author disabled published updated splunk_server
"
| rex field=configPath "configs/conf-(?<configFileName>[^\/]+)"
| eval isJson=IF(json_valid(clear_password),"isJson","NotJson")
| tojson
| eval jsonKeys=json_array_to_mv(json_keys(_raw))
| eval stanza="==".app."/".configFileName.".conf==
[".title."]
"
| foreach jsonKeys mode=multivalue
[| eval stanza=stanza.IF(<<ITEM>> IN ("id","secretField","title","configFileName","configPath","isJson","clear_password","app"),"",<<ITEM>>."=".coalesce(json_extract(clear_password,<<ITEM>>),json_extract(_raw,<<ITEM>>))."
")]
| table stanza
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
