Splunk Enterprise

Users with multiple roles - effective settings for search Disk Usage

kozanic_mg
Explorer

Hi All,

We are trying to organise some monitoring / Alerting for users and search disk usage and I know SplunkAdmins app has some stuff, but we need something a little different.

What I need atm is a way to determine a users effective settings as most users have at least 2 or more roles and I haven't found any clear way to determine what a given users allowance is to be able to configure an alert against.

Not sure if I have just missed something simple?

Hoping someone out there might have some suggestions.

Thanks in advance!

Labels (2)
0 Karma
1 Solution

kozanic_mg
Explorer

Have managed to work out this report which give me what I need: 

| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv

View solution in original post

0 Karma

kozanic_mg
Explorer

Have managed to work out this report which give me what I need: 

| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...