Archive

Search for Splunk logon and role info

Champion

Is there anyway to list users who have logged into Splunk along with the Splunk roles they are mapped to? I can get the first part with the search below, but I don't know how to tie their roles to the results.

index=_audit action="login attempt" | dedup user | sort user | table user

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Try this ... index=_audit action="login attempt" | dedup user | join [| rest /services/authentication/users ] | table user roles

View solution in original post

Splunk Employee
Splunk Employee

Try this ... index=_audit action="login attempt" | dedup user | join [| rest /services/authentication/users ] | table user roles

View solution in original post

Champion

It didn't work for me either but got me down the right path. Unless I was doing something wrong, I had to rename user to title to join it to the rest data. I also added the timestamp and limited it to the role I'm interested in. The results look accurate. Using Splunk 6 by the way (didn't mention it earlier)

index=_audit action="login attempt" | eval last=max(timestamp) | dedup user | rename user as title | join title [| rest /services/authentication/users] | search roles=cerner | table title roles last | sort title

Thanks for your help!!

0 Karma

Splunk Employee
Splunk Employee

Glad you found it useful!

0 Karma

Path Finder

This is super clever, but it doesn't work for me- I correctly get a list of logged-in users, but with the roles all incorrectly as 'user'. I modified your search slightly and it seems to work for me-

index=_audit action="login attempt" | dedup user | join user [| rest /services/authentication/users | rename title as user ] | table user, roles

0 Karma