Splunk Search

How do I create a search that displays the amount of users on each app and how often it's been used in the last 60 days?

SevenDos
Explorer

I'm trying to create a table that displays the following result

Appname Amount of users with read access amount of users that have accessed in the last 2 months Open Access Protected Access
AppX <number> <number> O P

 

I know that I can use the rest api for most (maybe all) of this.

The following tells me which apps there are and with what roles a user has read access.

 

 

| rest /servicesNS/-/-/apps/local splunk_server="local" 
| fields label, eai:acl.perms.read 
| rename eai:acl.perms.read as roles
| sort by label 
| search label!=_searchhead_config

 

 

The following tells me what users there are and what roles they have.

 

 

| rest /services/authentication/users splunk_server=local 
| fields title roles 
| mvexpand roles
| rename title as userName

 

 

What I want to do now is to combine those and by the roles, match which users have access to a certain app, and than count how many there are.

I'm a newbie and I've tried all kinds of things with join, append, appendcols but it never gives me the results I need. Can someone point me in the right direction?

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Sorry about the copy-paste error.  I've fixed it.

The current query produces a list of apps, the roles with access to the apps, and users with those roles.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Here's one way to combine those searches.  I'm sure there are other possibilities.  It depends on what the output needs to look like.

 

| rest /servicesNS/-/-/apps/local splunk_server="local" 
| fields label, eai:acl.perms.read 
| rename eai:acl.perms.read as roles 
| mvexpand roles 
| sort by label 
| search label!=_searchhead_config 
| append 
    [| rest /services/authentication/users splunk_server=local 
    | fields title roles 
    | eval roles=mvappend (roles, "*") 
    | mvexpand roles 
    | rename title as userName] 
| stats values(*) as * by roles 
| table userName roles label

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

SevenDos
Explorer

Thanks for the response. What is happening in line 14? Is that an accidental paste that I should remove, or does there have to be an additional join there? Looks like the former as this is where the search starts with. Removing it tells me there is no roles.

I would want the output to look like:

label (name of the app)amount of users that have read access to this app
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sorry about the copy-paste error.  I've fixed it.

The current query produces a list of apps, the roles with access to the apps, and users with those roles.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...