Splunk Enterprise Security
Highlighted

In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

New Member

I need a list of admins and also users from Splunk-ES to list in an audit dashboard.

0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

SplunkTrust
SplunkTrust

Since Splunk ES is built on core Splunk, the same command can be used. To isolate the ES users, look for role names beginning with "ess_".

| rest /services/authentication/users | search roles="ess_*" | dedup title
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

New Member

Thanks for the reply!

That command works for me in Splunk-ES, but not in Splunk Enterprise.

0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

SplunkTrust
SplunkTrust

You asked for a command that works in Splunk ES and now you have one.
The same query will work in Splunk Enterprise if you remove the search command.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

New Member

Guess my question is wrong. I need a list of Splunk-ES users from Splunk Enterprise.

When I run that rest command from Splunk Enterprise, I do not see any Splunk-ES users even when I remove the search command.

0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

SplunkTrust
SplunkTrust

Do you have ES users registered on the Enterprise system where you run the query? If not, that would explain why they're not found.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

New Member

How do I get them registered? I should be able to get a list of users in Splunk-ES, yes?

0 Karma
Highlighted

Re: In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

SplunkTrust
SplunkTrust

You can register the ES users like you would any other user, but a non-ES instance won't have the ES roles that identify the users as being part of ES.

---
If this reply helps you, an upvote would be appreciated.
0 Karma