I have splunk enterprise running on a linux box and I also have splunk universal forwarder running on a second linux box. How can I write a search that will display all currently existing users on my universal forwarder? I'm not talking about showing logs that are associated with all users...I simply want a list of all users on my forwarder that exist at the time the search was ran.
For example....If I login to my linux box that has the universal forwarder on it and run adduser user1, adduser user2, adduser user3,
THEN on my Splunk enterprise I could run my search string and it would list user1, user2, user3 (given that those were the only three users that exist on my linux universal forwarder).
How can I accomplish this? What data do I need to get from my forwarder?
are you speaking about Linux or Splunk Users?
if Linux Users, you have to install on your forwarder a TA-Linux that contains a script to collect Linux users.
If you don't want to install the full TA_Linux, you can take only the script to extract users ($SPLUNK_HOME/etc/apps/Splunk_TA_nix/ bin/usersWithLoginPrivs.sh).
After you can search them in Splunk with a simple search ( index=os | dedup users | table users ).