Splunk Search
Highlighted

How can I search a list of users with all the roles and indexes assigned?

Splunk Employee
Splunk Employee

I found this search

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

But I have a can_delete role, but it is not listed

Tags (4)
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

You can try this:

| rest /services/authentication/users |rename title as User, roles as Role |stats count by  User Role |fields - count| appendcols [ |rest /services/authorization/roles |table title srchIndexesAllowed|rename title as Role]|stats values(Role) as Role values(srchIndexesAllowed) as Indexes by User
0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

Splunk Employee
Splunk Employee

But your search only showed the admin role and indexes only show (_*) and not all the indexes

0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

Try it again. If you see *, that means All Indexes.

0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

Splunk Employee
Splunk Employee

your search showed like this

User Role Indexes
admin admin * _*

does not showed all indexes name

0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

It won't. That's not how the data is returned. If the role has access to individual indexes, they will show. It is straight from the manager gui page.

0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

View solution in original post

Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

Don't combine searches, just take the one from my answer.

0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

I see... minor issue with mvexpand and null values, I've replaced the search.

0 Karma
Highlighted

Re: How can I search a list of users with all the roles and indexes assigned?

SplunkTrust
SplunkTrust

I've added a slightly more verbose search that will expand * and _* into a list of indexes, give that a shot.

0 Karma