Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to create a query for user accesses and role i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hermeschu
Engager
05-31-2018
02:49 PM
Hi Folks, I'm trying to create a query where it shows users logged in and indexes belonged or use (one of the two options...). Something like: LAST_LOGIN_DATE, USER, REAL_NAME, INDEX_NAME. But sadly I cannot retrieve the indexes on some of them and sometimes repeat them on the result. I created a query using some other examples on the web without success: Could you help me? Thank you so much!
| rest /services/authentication/users
| search type=Splunk
| table title roles realname
| rename title as user
| rename roles as title
| mvexpand title
| join type=left max=0 title [
| rest /services/authorization/roles splunk_server=local
| table title srchInd*
| eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault)
| table title indexes
| mvexpand indexes
| dedup title indexes
| eval indexes_orig=indexes
| join indexes max=0 type=left [
| rest /services/data/indexes
| stats count by title
| table title
| eval indexes=if(match(title,"^_"),"_*","*")
| rename title as indexes_new]
| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig)
| table title indexes]
| join user [
search index=_audit action="login attempt" info=succeeded
| dedup user
| table user timestamp]
| dedup user timestamp
| table timestamp user realname indexes
| sort - timestamp
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
larmesto
Path Finder
06-01-2018
11:33 AM
If you're talking about access permissions a user (or role) may have for some index. Try this approach (I've modified some of your base code, but I think you were going on the right way...):
| rest /services/authentication/users
| search type=Splunk
| table title roles realname
| rename title as user
| rename roles as title
| mvexpand title
| join type=left max=0 title
[| rest /services/authorization/roles
| table title srchIndexesAllowed
| eval indexes=coalesce(srchIndexesAllowed,srchIndexesDefault)
| table title indexes]
| join user
[ search index=_audit action="login attempt" info=succeeded
| dedup user
| table user timestamp]
| table timestamp user realname indexes
| sort - timestamp
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hermeschu
Engager
06-01-2018
12:27 PM
That worked fine! Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
larmesto
Path Finder
06-01-2018
11:33 AM
If you're talking about access permissions a user (or role) may have for some index. Try this approach (I've modified some of your base code, but I think you were going on the right way...):
| rest /services/authentication/users
| search type=Splunk
| table title roles realname
| rename title as user
| rename roles as title
| mvexpand title
| join type=left max=0 title
[| rest /services/authorization/roles
| table title srchIndexesAllowed
| eval indexes=coalesce(srchIndexesAllowed,srchIndexesDefault)
| table title indexes]
| join user
[ search index=_audit action="login attempt" info=succeeded
| dedup user
| table user timestamp]
| table timestamp user realname indexes
| sort - timestamp
Regards
Get Updates on the Splunk Community!
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
