Splunk Enterprise

Users with multiple roles - effective settings for search Disk Usage

kozanic_mg
Explorer

Hi All,

We are trying to organise some monitoring / Alerting for users and search disk usage and I know SplunkAdmins app has some stuff, but we need something a little different.

What I need atm is a way to determine a users effective settings as most users have at least 2 or more roles and I haven't found any clear way to determine what a given users allowance is to be able to configure an alert against.

Not sure if I have just missed something simple?

Hoping someone out there might have some suggestions.

Thanks in advance!

Labels (2)
0 Karma
1 Solution

kozanic_mg
Explorer

Have managed to work out this report which give me what I need: 

| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv

View solution in original post

0 Karma

kozanic_mg
Explorer

Have managed to work out this report which give me what I need: 

| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...