Getting Data In

How can I get list of users from rest api ?

New Member

Hi everyone,

I'm currently running Splunk 6.5.3

I want list of all users who has access to splunk.

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name

query 1 :

alt text

query 2 (If i remove splunk_server=local) :

alt text

I've admin privileges but i can't see all users

Why i have a error message with query 1 ?

Why i am unable to see all users with admin privileges (query 2) ?

0 Karma

Legend

Hi egid_la,
see the "Data Governance" App ( https://splunkbase.splunk.com/app/1866/ ) there are some dashboards with useful panels where you can copy the search.
Bye.
Giuseppe

0 Karma

Super Champion

i just ran that query with and without splunk_server=local and both worked. with it, it only showed my user, without, it showed all users. i see you got that error message on both searches though. if you inspect the job, can you see the full error message?

0 Karma

New Member

I can see for query 1 :

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

rest /services/authentication/users splunk_server=local | fields title roles realname | rename title as userName | rename realname as Name

over the time range:

15/11/2017 00:00:00.000 - 15/11/2017 09:50:58.000

did not return any data. Possible solutions are to:

relax the primary search criteria
widen the time range of the search
check that the default search indexes for your account include the desired indexes

Learn more about troubleshooting empty search results at Splunk Documentation

The following messages were returned by the search subsystem:

error : Failed to parse XML Body:<?xml version="1.0" encoding="UTF-8"?> <!--This is to override b...

(SID: 1510735858.14014_7E34E620-2F98-4859-B68C-61B049217E6D) search.log

and query 2 :

This search has completed and has returned 12 results by scanning 12 events in 0.847 seconds

The following messages were returned by the search subsystem:

error : Failed to parse XML Body:<?xml version="1.0" encoding="UTF-8"?> <!--This is to override b...

(SID: 1510735648.13854_7E34E620-2F98-4859-B68C-61B049217E6D) search.log

I'm on splunk multi site search head cluster

0 Karma

Super Champion

| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username realname do you get errors when running this? or does it populate your user?

try adding splunk_server=* instead of local

try adding the deployment server as a search peer to access the rest api endpoints by going to settings>distributed search>search peers and see if something isn't configured properly.

0 Karma

New Member
| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username realname : No errors, it shows only my user but not all

If i try with :

| rest /services/authentication/users splunk_server=*
| fields title roles realname
| rename title as userName
| rename realname as Name

i have same result as query 2 (it shows users but just admins)

I can't see distributed search on settings or it's another name depends on version

0 Karma