Archive

Bulk import users?

Contributor

I am using Splunk with SSO (Shibboleth) for authentication. Unfortunately, I still need to create a Splunk user for every user coming in through SSO.

How can I bulk import users into Splunk, preferably from the command line?

  • There is a file named $SPLUNK_HOME/etc/passwd. I have added users to this file, but they don't appear in the web interface under http://splunk.example.org/en-US/manager/launcher/authentication/users . In addition, Splunk removes users from this file periodically.

  • The command $SPLUNK_HOME/bin/splunk import userdata -dir /tmp/export.dat, but there is almost no documentation about this feature, and I cannot find anything which describes the format of export.dat . It looks as if this feature is really intended to export userdata from Splunk and import it to another Splunk instance, which is not what I am trying to do.

Tags (1)
0 Karma
1 Solution

Contributor

Well, in the end I just ended up doing a loop like:

for USER in $USERLIST
do
    $SPLUNK_HOME/bin/splunk add user ${USER}@example.org -password jibberish
done

Not quite a bulk import, but it gets the job done.

View solution in original post

0 Karma

Contributor

Well, in the end I just ended up doing a loop like:

for USER in $USERLIST
do
    $SPLUNK_HOME/bin/splunk add user ${USER}@example.org -password jibberish
done

Not quite a bulk import, but it gets the job done.

View solution in original post

0 Karma

Engager

Hi,
We have a scenario like one deployment server and two search heads. Can we bulk load the users from deployment servers for the searchheads?

0 Karma

Splunk Employee
Splunk Employee

Have you tried adding users using a script with the CLI (import userdata)?

Splunk Employee
Splunk Employee

Oh look, yes you did. Not sure how I missed that, sorry!

0 Karma

Contributor

Yes I have, which is why I mentioned import userdata in my question.

0 Karma

Splunk Employee
Splunk Employee

It is the authz that require the user to be available in splunk, you can workaround by either
creating a LDAP strategy pointing to your Shibboleth identity store if it is LDAP.
or
duplicating the Shibboleth user identities in the Splunk with proper role mapping
I use a script like this to create a local splunk users

#!/bin/sh
FILE=$HOME/scripts/uids.txt
ACTION=$1

user_add()
{
line1=$1
curl -k  -u admin:changeme -X POST -d "name=$line&password=$line&roles=admin" https://localhost:8089/services/authentication/users
#curl -k  -u admin:changeme -X POST -d "name=$line&password=$line&roles=splunk_role_edit_tcp" https://localhost:8089/services/authentication/users
 echo "Creating User $line"
return 0
}
user_del()
{
line1=$1
curl -k  -u admin:changeme -X DELETE https://localhost:8089/services/authentication/users/$line1
 echo "Deleting User $line"
return 0
}
user_auth()
{
line1=$1
curl -k -X POST -d "username=$line1&password=$line1" https://localhost:8089/services/auth/login
 echo "Authenticating User $line"
return 0
}

cat $FILE|while read line
do
if [ $ACTION = "add" ]
then
 user_add $line
elif [ $ACTION = "del" ]
then
 user_del $line
else
 user_add $line
 user_auth $line
 user_del $line
fi
done 

my uids.txt is something like, I use uid/pwd same but you get the point


LewisUser0
Cesar
User1
MarkUser2
James
User3

hope this helps