List each user and their assigned roles and indexes assigned by roles


We have about 1000+ users in our Splunk environment and we are getting ready for an audit. Specifically, we are reviewing the user access privileges to the data in Splunk. Is there a report or query that will show us this:

User Roles Indexes
user1 role1 idx1, idx2, idx3, idx4
user1 role2 idx10, idx11
user1 role3 idx22
user2 role1 idx1,idx2, idx3, idx4
user2 role4 idx23

Thank you

Tags (3)
0 Karma

0 Karma


If you are logged in as an admin, I believe this will return the data you require:

| rest "services/authentication/users"
| dedup title
| table title roles capabilities author  eai:acl.perms.write email

If that works I'll convert this to an answer, if not let me know. The should be a list of the indexes they can view.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma


It does not answer the question re: index...thx though.

I just found one by somesoni2... good stuff. the answer can be found at:

0 Karma