I need to get a complete list of all users in Splunk Enterprise or Ent. Security & the date the user account was added. Thank u in advance.
You can run this to get the info you're looking for:
|rest /services/authentication/users splunk_server=local
Thx bro for this. Which server is best to run this on? I ran it on a Search head & the Deployment server & it only gives you info about the admin account & what this acct is running with the "system". Am looking to find list of new users added & when? Please advise.
You'll want to run it on the search head as admin.
You can also show particular fields you want as below. Modify as needed.
|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName, realname as Name