Splunk Enterprise

How do I get a list of all the users, admin or not in Splunk Enterprise or ES & date they were added? Thank u very much

SamHTexas
Builder

I need to get a complete list of all users in Splunk Enterprise or Ent. Security & the date the user account was added. Thank u in advance.

Labels (1)
Tags (1)
0 Karma

codebuilder
SplunkTrust
SplunkTrust

You can run this to get the info you're looking for:

|rest /services/authentication/users splunk_server=local

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SamHTexas
Builder

Thx bro for this. Which server is best to run this on? I ran it on a Search head & the Deployment server & it only gives you info about the admin account & what this acct is running with the "system". Am looking to find list of new users added & when? Please advise.

Tags (1)
0 Karma

codebuilder
SplunkTrust
SplunkTrust

You'll want to run it on the search head as admin.

You can also show particular fields you want as below. Modify as needed.

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName, realname as Name

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>