Solved: Re: Need SPLs to list the current users in Splunk ...

SamHTexas · ‎05-29-2021

Need SPLs to list the current users in Splunk Ent. and ES. Plus listing unauthorized accts created / deleted. Thank u very much in advance.

richgalloway · ‎05-29-2021

To get a list of Splunk users, start with this REST command

| rest /services/authentication/users

To find newly created or deleted accounts, try this search. It's up to you to determine if they're authorized or not. As far as Splunk is concerned, someone with the right capabilities created or deleted the account so it must be authorized.

index=_audit action IN (create_user remove_user)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

SamHTexas · ‎05-29-2021

Thank u sir as always.

richgalloway · ‎05-29-2021

To get a list of Splunk users, start with this REST command

| rest /services/authentication/users

To find newly created or deleted accounts, try this search. It's up to you to determine if they're authorized or not. As far as Splunk is concerned, someone with the right capabilities created or deleted the account so it must be authorized.

index=_audit action IN (create_user remove_user)

---
If this reply helps you, Karma would be appreciated.

Need SPLs to list the current users in Splunk Ent. and ES. Plus listing unauthorized accts created / deleted. Thank u

monitoring console

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk