Deployment Architecture

Help finding all users on my system

jcorkey
Explorer

I have splunk enterprise running on a linux box and I also have splunk universal forwarder running on a second linux box. How can I write a search that will display all currently existing users on my universal forwarder? I'm not talking about showing logs that are associated with all users...I simply want a list of all users on my forwarder that exist at the time the search was ran.

EDITED:
For example....If I login to my linux box that has the universal forwarder on it and run adduser user1, adduser user2, adduser user3,
THEN on my Splunk enterprise I could run my search string and it would list user1, user2, user3 (given that those were the only three users that exist on my linux universal forwarder).

How can I accomplish this? What data do I need to get from my forwarder?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jcorkey,
are you speaking about Linux or Splunk Users?
if Linux Users, you have to install on your forwarder a TA-Linux that contains a script to collect Linux users.
If you don't want to install the full TA_Linux, you can take only the script to extract users ($SPLUNK_HOME/etc/apps/Splunk_TA_nix/ bin/usersWithLoginPrivs.sh).
After you can search them in Splunk with a simple search ( index=os | dedup users | table users ).
Bye.
Giuseppe

0 Karma

jcorkey
Explorer

linux users NOT splunk users...I edited my questions above. And thanks I'll look into your suggestion.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Can you clarify a bit? Are you looking for all of the linux users that exist on the machine where you have a forwarder installed?

You wouldn't log in to a Universal Forwarder, so there wouldn't be multiple users defined on one. Are you referring to a Heavy Forwarder?

If its a Heavy Forwarder, you could use the following to get a list of users and their roles.

|rest /services/authentication/users splunk_server=local 
 |fields title roles realname|rename title as userName|rename realname as Name
0 Karma

jcorkey
Explorer

linux users NOT splunk users...I edited my questions above

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.