We're looking to create a search on Splunk admin users' logins. Currently I have a search which includes each admin user name, but I'm looking for a way to dynamically capture the members of the admin role. Is there a system lookup file or other index I can search to get a user's role?
My search so far:
index=_audit source=audittrail action="login attempt" info=succeeded user=<admin user login1> OR user=<admin user login2> OR ...| table _time user
Thanks - this worked:
index=_audit source=audittrail action="login attempt" info=succeeded [|rest /services/authentication/users splunk_server=local | search roles=admin| fields title |rename title as user] | table _time user