Splunk Search

How can I search a list of users with all the roles and indexes assigned?

cdo_splunk
Splunk Employee
Splunk Employee

I found this search

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

But I have a can_delete role, but it is not listed

Tags (4)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

cdo_splunk
Splunk Employee
Splunk Employee

thanks Martin, It worked now :<). You are the best

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Thanks! Your worked partially. It showed all the role but not all indexes. It does not showed index like _fishbucket, _audit , _blocksignature , _introspection and user created indexes

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Yes , I want it to expand and list all indexes. From the search I posted . It showed like this
index_name Role User
_audit admin xyz
_blocksignature admin xyz
_internal admin xyz
_internal new_user_role xyz
_introspection admin xyz
_thefishbucket admin xyz
christine admin xyz
christine test_role xyz
christine_new admin xyz

but I do not have can_delete role

your query looks like this
user roles srchIndexesAllowed srchIndexesDefault
xyz admin * _* main os

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Thanks Martin! I try the new update search. Now it does not list the can_delete role when combined the search I posted with your search

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Martin,
This new one you post, does not show the can_delete role, it showed all index and other roles

 | rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So... you want to expand * and _* into a list of all non-internal / internal indexes?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I've added a slightly more verbose search that will expand * and _* into a list of indexes, give that a shot.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see... minor issue with mvexpand and null values, I've replaced the search.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Don't combine searches, just take the one from my answer.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can try this:

| rest /services/authentication/users |rename title as User, roles as Role |stats count by  User Role |fields - count| appendcols [ |rest /services/authorization/roles |table title srchIndexesAllowed|rename title as Role]|stats values(Role) as Role values(srchIndexesAllowed) as Indexes by User
0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

your search showed like this

User Role Indexes
admin admin * _*

does not showed all indexes name

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

It won't. That's not how the data is returned. If the role has access to individual indexes, they will show. It is straight from the manager gui page.

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

But your search only showed the admin role and indexes only show (_*) and not all the indexes

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Try it again. If you see *, that means All Indexes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...