Hi All,
We are trying to organise some monitoring / Alerting for users and search disk usage and I know SplunkAdmins app has some stuff, but we need something a little different.
What I need atm is a way to determine a users effective settings as most users have at least 2 or more roles and I haven't found any clear way to determine what a given users allowance is to be able to configure an alert against.
Not sure if I have just missed something simple?
Hoping someone out there might have some suggestions.
Thanks in advance!
Have managed to work out this report which give me what I need:
| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv
Have managed to work out this report which give me what I need:
| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv