Is there anyway to list users who have logged into Splunk along with the Splunk roles they are mapped to? I can get the first part with the search below, but I don't know how to tie their roles to the results.
index=_audit action="login attempt" | dedup user | sort user | table user
It didn't work for me either but got me down the right path. Unless I was doing something wrong, I had to rename user to title to join it to the rest data. I also added the timestamp and limited it to the role I'm interested in. The results look accurate. Using Splunk 6 by the way (didn't mention it earlier)
index=_audit action="login attempt" | eval last=max(timestamp) | dedup user | rename user as title | join title [| rest /services/authentication/users] | search roles=cerner | table title roles last | sort title
Thanks for your help!!
This is super clever, but it doesn't work for me- I correctly get a list of logged-in users, but with the roles all incorrectly as 'user'. I modified your search slightly and it seems to work for me-
index=_audit action="login attempt" | dedup user | join user [| rest /services/authentication/users | rename title as user ] | table user, roles