Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- authentication method in a query on splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everyone,
Is there a way to check for which kind of authentication method is being used by splunk in a log? (Splunk itself, SAML or LDAP)
Thanks in advanced
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,
Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,
Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not 100% correct since it wasn't in a log but since i got it to work i'll call it a win.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know that in splunk logs those information are not available.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i feard that, in any case if anyone knows a work around feel free to share please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below search (It is ugly because of join) but I think it will give you a result.
index=_audit host=<your host> action="login attempt"
| fields user, action, info, src
| join type=left user
[| rest /services/authentication/users splunk_server=local f=title f=type
| rename title as user
| fields user, type ]
| table user, type, action, info, src
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it did not work for me, there were users that appeared with no type (Probably because they no longer exist)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, query which I have provided will give you type if that user exist in splunk, it it does not exist then it will give you blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to get it working for me, but thank you for your help anyway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome... 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
