I have splunk enterprise running on a linux box and I also have splunk universal forwarder running on a second linux box. How can I write a search that will display all currently existing users on my universal forwarder? I'm not talking about showing logs that are associated with all users...I simply want a list of all users on my forwarder that exist at the time the search was ran.
For example....If I login to my linux box that has the universal forwarder on it and run adduser user1, adduser user2, adduser user3,
THEN on my Splunk enterprise I could run my search string and it would list user1, user2, user3 (given that those were the only three users that exist on my linux universal forwarder).
How can I accomplish this? What data do I need to get from my forwarder?
are you speaking about Linux or Splunk Users?
if Linux Users, you have to install on your forwarder a TA-Linux that contains a script to collect Linux users.
If you don't want to install the full TALinux, you can take only the script to extract users ($SPLUNKHOME/etc/apps/SplunkTAnix/ bin/usersWithLoginPrivs.sh).
After you can search them in Splunk with a simple search (
index=os | dedup users | table users ).
Can you clarify a bit? Are you looking for all of the linux users that exist on the machine where you have a forwarder installed?
You wouldn't log in to a Universal Forwarder, so there wouldn't be multiple users defined on one. Are you referring to a Heavy Forwarder?
If its a Heavy Forwarder, you could use the following to get a list of users and their roles.
|rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name