Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Generate Roles to Indexes table?

ttilstra1
Engager
‎08-18-2023 06:23 AM

I'm looking for a way to search all indexes available for each role in Splunk (including access inherited from other roles).

This search almost does this:

 

 

 

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as Indexes, title as Role | search Indexes=*

 

 

 

However, this does not account for inherited indexes.

Listing indexes available for a single role is fairly easy (but time consuming):

Under
Settings -> Roles -> 

Select a role (or Edit)
Open "Indexes" Tab
Filter "Show Selected" from the far right column.

-----------------------

Is there a way to get this list (for all roles) from SQL? 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 06:52 AM

Hi

you could try this

| rest /services/authentication/users splunk_server=local 
| table title roles 
| rename title as user 
| mvexpand roles 
| join type=left roles 
    [ rest /services/authorization/roles splunk_server=local 
    | table title srchIndexesAllowed srchIndexesDefault imported_srchIndexesAllowed imported_srchIndexesDefault 
    | rename title as roles] 
| fillnull value="" srchIndexesAllowed, srchIndexesDefault, imported_srchIndexesAllowed, imported_srchIndexesDefault 
| eval srchIndexesAllowed = srchIndexesAllowed + " " + imported_srchIndexesAllowed, srchIndexesDefault = srchIndexesDefault . " " . imported_srchIndexesDefault 
| makemv srchIndexesAllowed tokenizer=(\S+) 
| makemv srchIndexesDefault tokenizer=(\S+) 
| eval indexes= 
    [| eventcount summarize=false index=* index=_* 
    | stats values(index) AS indexes 
    | eval theindexes="\"" . mvjoin(indexes, " ") . "\"" 
    | return $theindexes ] 
| makemv indexes 
| stats values(srchIndexesAllowed) AS srchIndexesAllowed, values(srchIndexesDefault) AS srchIndexesDefault by roles
| where isnotnull(srchIndexesAllowed)

Thanx @gjanders for this!

You could also use app https://splunkbase.splunk.com/app/4111 to get this and other auth* stuff.

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 06:52 AM

Hi

you could try this

| rest /services/authentication/users splunk_server=local 
| table title roles 
| rename title as user 
| mvexpand roles 
| join type=left roles 
    [ rest /services/authorization/roles splunk_server=local 
    | table title srchIndexesAllowed srchIndexesDefault imported_srchIndexesAllowed imported_srchIndexesDefault 
    | rename title as roles] 
| fillnull value="" srchIndexesAllowed, srchIndexesDefault, imported_srchIndexesAllowed, imported_srchIndexesDefault 
| eval srchIndexesAllowed = srchIndexesAllowed + " " + imported_srchIndexesAllowed, srchIndexesDefault = srchIndexesDefault . " " . imported_srchIndexesDefault 
| makemv srchIndexesAllowed tokenizer=(\S+) 
| makemv srchIndexesDefault tokenizer=(\S+) 
| eval indexes= 
    [| eventcount summarize=false index=* index=_* 
    | stats values(index) AS indexes 
    | eval theindexes="\"" . mvjoin(indexes, " ") . "\"" 
    | return $theindexes ] 
| makemv indexes 
| stats values(srchIndexesAllowed) AS srchIndexesAllowed, values(srchIndexesDefault) AS srchIndexesDefault by roles
| where isnotnull(srchIndexesAllowed)

Thanx @gjanders for this!

You could also use app https://splunkbase.splunk.com/app/4111 to get this and other auth* stuff.

r. Ismo 

Reply
Solved! Jump to solution

ttilstra1
Engager
‎08-18-2023 07:22 AM

this works very well, thank you

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 06:43 AM 
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
| eval srchIndexesAllowed=mvappend(srchInexesAllowed,imported_srchIndexesAllowed)
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed as Indexes, title as Role
| search Indexes=*
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...