Splunk Enterprise

How do I get a list of all the users, admin or not in Splunk Enterprise or ES & date they were added? Thank u very much

SamHTexas
Builder

I need to get a complete list of all users in Splunk Enterprise or Ent. Security & the date the user account was added. Thank u in advance.

Labels (1)
Tags (1)
0 Karma

codebuilder
Influencer

You can run this to get the info you're looking for:

|rest /services/authentication/users splunk_server=local

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SamHTexas
Builder

Thx bro for this. Which server is best to run this on? I ran it on a Search head & the Deployment server & it only gives you info about the admin account & what this acct is running with the "system". Am looking to find list of new users added & when? Please advise.

Tags (1)
0 Karma

codebuilder
Influencer

You'll want to run it on the search head as admin.

You can also show particular fields you want as below. Modify as needed.

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName, realname as Name

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...