I need a list of admins and also users from Splunk-ES to list in an audit dashboard.
Since Splunk ES is built on core Splunk, the same command can be used. To isolate the ES users, look for role names beginning with "ess_".
| rest /services/authentication/users | search roles="ess_*" | dedup title
Thanks for the reply!
That command works for me in Splunk-ES, but not in Splunk Enterprise.
You asked for a command that works in Splunk ES and now you have one.
The same query will work in Splunk Enterprise if you remove the search command.
Guess my question is wrong. I need a list of Splunk-ES users from Splunk Enterprise.
When I run that rest command from Splunk Enterprise, I do not see any Splunk-ES users even when I remove the search command.
Do you have ES users registered on the Enterprise system where you run the query? If not, that would explain why they're not found.
How do I get them registered? I should be able to get a list of users in Splunk-ES, yes?
You can register the ES users like you would any other user, but a non-ES instance won't have the ES roles that identify the users as being part of ES.