How do I get a list of all the users, admin or not...

SamHTexas · ‎08-18-2021

I need to get a complete list of all users in Splunk Enterprise or Ent. Security & the date the user account was added. Thank u in advance.

codebuilder · ‎08-18-2021

You can run this to get the info you're looking for:

|rest /services/authentication/users splunk_server=local

----
An upvote would be appreciated and Accept Solution if it helps!

SamHTexas · ‎08-18-2021

Thx bro for this. Which server is best to run this on? I ran it on a Search head & the Deployment server & it only gives you info about the admin account & what this acct is running with the "system". Am looking to find list of new users added & when? Please advise.

codebuilder · ‎08-18-2021

You'll want to run it on the search head as admin.

You can also show particular fields you want as below. Modify as needed.

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName, realname as Name

----
An upvote would be appreciated and Accept Solution if it helps!

How do I get a list of all the users, admin or not in Splunk Enterprise or ES & date they were added? Thank u very much

administration

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms