We have about 1000+ users in our Splunk environment and we are getting ready for an audit. Specifically, we are reviewing the user access privileges to the data in Splunk. Is there a report or query that will show us this:
User Roles Indexes
user1 role1 idx1, idx2, idx3, idx4
user1 role2 idx10, idx11
user1 role3 idx22
user2 role1 idx1,idx2, idx3, idx4
user2 role4 idx23
If you are logged in as an admin, I believe this will return the data you require:
| rest "services/authentication/users" | dedup title | table title roles capabilities author eai:acl.perms.read eai:acl.perms.write email
If that works I'll convert this to an answer, if not let me know. The eai.acl.perms.read should be a list of the indexes they can view.
It does not answer the question re: index...thx though.
I just found one by somesoni2... good stuff. the answer can be found at: