- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for a way to search all indexes available for each role in Splunk (including access inherited from other roles).
This search almost does this:
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as Indexes, title as Role | search Indexes=*
However, this does not account for inherited indexes.
Listing indexes available for a single role is fairly easy (but time consuming):
Under
Settings -> Roles ->
Select a role (or Edit)
Open "Indexes" Tab
Filter "Show Selected" from the far right column.
-----------------------
Is there a way to get this list (for all roles) from SQL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi
you could try this
| rest /services/authentication/users splunk_server=local
| table title roles
| rename title as user
| mvexpand roles
| join type=left roles
[ rest /services/authorization/roles splunk_server=local
| table title srchIndexesAllowed srchIndexesDefault imported_srchIndexesAllowed imported_srchIndexesDefault
| rename title as roles]
| fillnull value="" srchIndexesAllowed, srchIndexesDefault, imported_srchIndexesAllowed, imported_srchIndexesDefault
| eval srchIndexesAllowed = srchIndexesAllowed + " " + imported_srchIndexesAllowed, srchIndexesDefault = srchIndexesDefault . " " . imported_srchIndexesDefault
| makemv srchIndexesAllowed tokenizer=(\S+)
| makemv srchIndexesDefault tokenizer=(\S+)
| eval indexes=
[| eventcount summarize=false index=* index=_*
| stats values(index) AS indexes
| eval theindexes="\"" . mvjoin(indexes, " ") . "\""
| return $theindexes ]
| makemv indexes
| stats values(srchIndexesAllowed) AS srchIndexesAllowed, values(srchIndexesDefault) AS srchIndexesDefault by roles
| where isnotnull(srchIndexesAllowed)
Thanx @gjanders for this!
You could also use app https://splunkbase.splunk.com/app/4111 to get this and other auth* stuff.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi
you could try this
| rest /services/authentication/users splunk_server=local
| table title roles
| rename title as user
| mvexpand roles
| join type=left roles
[ rest /services/authorization/roles splunk_server=local
| table title srchIndexesAllowed srchIndexesDefault imported_srchIndexesAllowed imported_srchIndexesDefault
| rename title as roles]
| fillnull value="" srchIndexesAllowed, srchIndexesDefault, imported_srchIndexesAllowed, imported_srchIndexesDefault
| eval srchIndexesAllowed = srchIndexesAllowed + " " + imported_srchIndexesAllowed, srchIndexesDefault = srchIndexesDefault . " " . imported_srchIndexesDefault
| makemv srchIndexesAllowed tokenizer=(\S+)
| makemv srchIndexesDefault tokenizer=(\S+)
| eval indexes=
[| eventcount summarize=false index=* index=_*
| stats values(index) AS indexes
| eval theindexes="\"" . mvjoin(indexes, " ") . "\""
| return $theindexes ]
| makemv indexes
| stats values(srchIndexesAllowed) AS srchIndexesAllowed, values(srchIndexesDefault) AS srchIndexesDefault by roles
| where isnotnull(srchIndexesAllowed)
Thanx @gjanders for this!
You could also use app https://splunkbase.splunk.com/app/4111 to get this and other auth* stuff.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this works very well, thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| eval srchIndexesAllowed=mvappend(srchInexesAllowed,imported_srchIndexesAllowed)
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as Indexes, title as Role
| search Indexes=*
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)