Is there any way to limit list of users based on R...

crsplunkr · ‎03-24-2023

looking for the best way to audit all users accessing REST endpoints

found a way to list users, but any way to limit this based on REST calls?

| rest /services/authentication/users splunk_server=*

Tom_Lundie · ‎03-24-2023

Your best bet is going to be the splunkd_access sourcetype.

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| stats values(user) as user
| mvexpand user

That being said, if you're auditing a SH, you're going to see lots of traffic from splunkweb.

To address this you could filter out the Splunk user agent (the risk with this is that user-agents can be modified):

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| regex useragent!="Splunkd?\/[\d\.]+ \("
| stats values(user) as user
| mvexpand user

Or filter out any localhost connections:

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>" clientip!="127.0.0.1"
| stats values(user) as user
| mvexpand user

Is there any way to limit list of users based on REST calls?

access control

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!