Splunk Dev

How to generate users list without admin access?

rendie
Path Finder

Hi everyone,

 

I need to generate a list with all users in Splunk Enterprise, but I stuck on permissions.

I have simple a user (without admin access) and when I tried to make a query to servicesNS

splunk:8089/servicesNS/admin/search/authentication/users

In response, I get "You do not have permissions to access objects of user=admin". Also, I tried to search "index=_audit" and "| rest /services/authentication/users" but without success.

 

How can I get a list of users in Splunk using a USER account without admin access? Maybe JS or REST can help?

Thanks.

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rendie ,

if you haven't the grants to execute a REST command, the only hint is to run a search on _internal and extract the users that used Splunk!

index=_audit sourcetype = audittrail action="login attempt"
| dedup user
| sort user
| table user

Ciao.

Giuseppe

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Ordinary users are limited in what they are allowed to see.  The best you can do is this search

| rest /servicesNS/-/search/authentication/users
---
If this reply helps you, Karma would be appreciated.

rendie
Path Finder

@richgallowayusing your solution in my case, as a result, I get only the current log user. This can be useful only for user with ADMIN permissions. But in any way thank you for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
As I said, you are an ordinary user and so are limited in what you may view.
---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rendie ,

if you haven't the grants to execute a REST command, the only hint is to run a search on _internal and extract the users that used Splunk!

index=_audit sourcetype = audittrail action="login attempt"
| dedup user
| sort user
| table user

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust
By default, however, users do not have access to _internal.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...