Splunk Search

How can I search a list of users with all the roles and indexes assigned?

cdo_splunk
Splunk Employee
Splunk Employee

I found this search

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

But I have a can_delete role, but it is not listed

Tags (4)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

cdo_splunk
Splunk Employee
Splunk Employee

thanks Martin, It worked now :<). You are the best

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Thanks! Your worked partially. It showed all the role but not all indexes. It does not showed index like _fishbucket, _audit , _blocksignature , _introspection and user created indexes

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Yes , I want it to expand and list all indexes. From the search I posted . It showed like this
index_name Role User
_audit admin xyz
_blocksignature admin xyz
_internal admin xyz
_internal new_user_role xyz
_introspection admin xyz
_thefishbucket admin xyz
christine admin xyz
christine test_role xyz
christine_new admin xyz

but I do not have can_delete role

your query looks like this
user roles srchIndexesAllowed srchIndexesDefault
xyz admin * _* main os

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Thanks Martin! I try the new update search. Now it does not list the can_delete role when combined the search I posted with your search

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

Martin,
This new one you post, does not show the can_delete role, it showed all index and other roles

 | rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So... you want to expand * and _* into a list of all non-internal / internal indexes?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I've added a slightly more verbose search that will expand * and _* into a list of indexes, give that a shot.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see... minor issue with mvexpand and null values, I've replaced the search.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Don't combine searches, just take the one from my answer.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can try this:

| rest /services/authentication/users |rename title as User, roles as Role |stats count by  User Role |fields - count| appendcols [ |rest /services/authorization/roles |table title srchIndexesAllowed|rename title as Role]|stats values(Role) as Role values(srchIndexesAllowed) as Indexes by User
0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

your search showed like this

User Role Indexes
admin admin * _*

does not showed all indexes name

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

It won't. That's not how the data is returned. If the role has access to individual indexes, they will show. It is straight from the manager gui page.

0 Karma

cdo_splunk
Splunk Employee
Splunk Employee

But your search only showed the admin role and indexes only show (_*) and not all the indexes

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Try it again. If you see *, that means All Indexes.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...