Getting Data In
Highlighted

How to create a query for user accesses and role indexes?

Engager

Hi Folks, I'm trying to create a query where it shows users logged in and indexes belonged or use (one of the two options...). Something like: LASTLOGINDATE, USER, REALNAME, INDEXNAME. But sadly I cannot retrieve the indexes on some of them and sometimes repeat them on the result. I created a query using some other examples on the web without success: Could you help me? Thank you so much!

| rest /services/authentication/users 
| search type=Splunk
| table title roles realname 
| rename title as user 
| rename roles as title 
| mvexpand title  
| join type=left max=0 title [
    | rest /services/authorization/roles splunk_server=local 
    | table title srchInd* 
    | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) 
    | table title indexes 
    | mvexpand indexes 
    | dedup title indexes 
    | eval indexes_orig=indexes 
    | join indexes max=0 type=left [
        | rest /services/data/indexes 
        | stats count by title 
        | table title
        | eval indexes=if(match(title,"^_"),"_*","*") 
        | rename title as indexes_new]
        | eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) 
        | table title indexes] 
| join user [
    search index=_audit action="login attempt" info=succeeded 
    | dedup user 
    | table user timestamp]
| dedup user timestamp
| table timestamp user realname indexes
| sort - timestamp
0 Karma
Highlighted

Re: How to create a query for user accesses and role indexes?

Path Finder

If you're talking about access permissions a user (or role) may have for some index. Try this approach (I've modified some of your base code, but I think you were going on the right way...):

| rest /services/authentication/users
| search type=Splunk
| table title roles realname
| rename title as user
| rename roles as title
| mvexpand title
| join type=left max=0 title
[| rest /services/authorization/roles
| table title srchIndexesAllowed
| eval indexes=coalesce(srchIndexesAllowed,srchIndexesDefault)
| table title indexes]
| join user
[ search index=_audit action="login attempt" info=succeeded
| dedup user
| table user timestamp]
| table timestamp user realname indexes
| sort - timestamp

Regards

View solution in original post

0 Karma
Highlighted

Re: How to create a query for user accesses and role indexes?

Engager

That worked fine! Thank you!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.