Splunk Search

How to list user accounts with domain?

brpsingara
Explorer

Hi,

Splunk Enterprise.

I am trying to get the list of all user accounts using below code, but the result showing only Splunk console users list instead of all Active Directory User Account List.

Code:

| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | table title email real name type

Output

Admin admin@xyz.com administrator splunk
babu babu@xyz.com babu LDAP

like this result is showing only 10 lines, all these are splunk console users. I dont know why all Active Directory User Accounts not showing.

Could anyone help me & guide me on this.

Thanks in advance.

0 Karma
1 Solution

alonsocaio
Contributor

To get a list of users or computers from your Active Directory you could use the Splunk Supporting Add-on for Active Directory. It allows you to use the ldapsearch command on your searches.

To get a simple list of your AD uses and output this list to a csv file you could use the search below:

| ldapsearch domain=YOUR_DOMAIN search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,mail"
| table sAMAccountName,displayName,mail
| outputlookup AD_Users.csv

View solution in original post

alonsocaio
Contributor

To get a list of users or computers from your Active Directory you could use the Splunk Supporting Add-on for Active Directory. It allows you to use the ldapsearch command on your searches.

To get a simple list of your AD uses and output this list to a csv file you could use the search below:

| ldapsearch domain=YOUR_DOMAIN search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,mail"
| table sAMAccountName,displayName,mail
| outputlookup AD_Users.csv

brpsingara
Explorer

thank you so much alonsocaio.

the above code is working.

0 Karma

alonsocaio
Contributor

Glad it worked for you!

0 Karma

nickhills
Ultra Champion

This will not give you users who have accounts on Splunk.
I think you have misunderstood the question.

If my comment helps, please give it a thumbs up!
0 Karma

alonsocaio
Contributor

Anyway, I`m gonna try some queries for your approach to this question. Maybe It is gonna be useful one day.

0 Karma

brpsingara
Explorer

I am looking AD User Account list only.

the above code is working for me.

0 Karma

nickhills
Ultra Champion

Oh, maybe I misunderstood the question!!!

I thought you wanted LDAP users who had access to Splunk, not just all AD users from your domain.

Glad you found a solution!

If my comment helps, please give it a thumbs up!
0 Karma

alonsocaio
Contributor

Have you tried to use ldapsearch in Splunk? I guess It will work in this case.

0 Karma

nickhills
Ultra Champion

From that same searchhead, can you see the LDAP users if you go to your_sh:8000/en-GB/manager/search/authentication/users

If my comment helps, please give it a thumbs up!
0 Karma

brpsingara
Explorer

please give me the full code.

0 Karma

nickhills
Ultra Champion

I mean in a browser go to http(s)://your_splunk_search_head:8000/en-GB/manager/search/authentication/users

If my comment helps, please give it a thumbs up!
0 Karma

brpsingara
Explorer

Thanks nickhillscpl,

but I dont know in the browser also listing only Splunk console users list.

All Active Directory user accounts count is 480,

listing only 13 user account, If i use " https://172.16.x.x:8000/en-GB/manager/search/authentication/users "

Is there any other method for listing All user accounts.

0 Karma

nickhills
Ultra Champion

So this sounds like the Search head you are running the query against only knows about the local users, which is why the management UI and the rest api is showing you a few of them.

Are you sure the missing users are LDAP, and not SAML?

If my comment helps, please give it a thumbs up!
0 Karma

brpsingara
Explorer

Yes, missing users are LDAP.

Please confirm " http(s)://your_splunk_search_head:8000" , is this splunk console IP? which i use to login splunk console?

0 Karma

nickhills
Ultra Champion

Yes, this should be the address of the splunk server you access the user interface through.

If my comment helps, please give it a thumbs up!
0 Karma

brpsingara
Explorer

then i am using correct. why listing only few accounts and these user accounts are able to access splunk console, mean, listing accounts are able access "https://172.16.x.x:8000/en-US/account/login "

0 Karma

nickhills
Ultra Champion

Can you post the contents of $SPLUNK_HOME/etc/sytem/local/authentication.conf
(remove anything sensitive)

If my comment helps, please give it a thumbs up!
0 Karma

brpsingara
Explorer

sorry, I have the access only for console. I believe it would run on linux.

0 Karma

nickhills
Ultra Champion

If you run a splunk search with this: | rest splunk_server=local /servicesNS/-/-/authentication/providers/LDAP |search disabled=0 what do you get back?
(remove anything sensitive)

If my comment helps, please give it a thumbs up!
0 Karma

brpsingara
Explorer

I did run the above code on search, below is the result. copy below result and past in excel. You will see the result in friendly.

SSLEnabled anonymous_referrals author bindDN bindDNpassword charset disabled eai:acl.app eai:acl.can_list eai:acl.can_write eai:acl.modifiable eai:acl.owner eai:acl.perms.read eai:acl.perms.write eai:acl.removable eai:acl.sharing emailAttribute groupBaseDN groupMappingAttribute groupMemberAttribute groupNameAttribute host id nestedGroups network_timeout order port published realNameAttribute sizelimit splunk_server timelimit title updated userBaseDN userNameAttribute
0 0 nobody CN=s-splunk.user,OU=Users ABC-XYZ.net,DC=ABC-XYZ,DC=NET ******** utf8 0 system 1 1 0 nobody * * 1 system mail CN=SplunkAdmins,OU=SECURITY OPERATIONS GROUPS,OU=SECURITY OPERATIONS,DC=ABC-XYZ,DC=NET dn member cn lew-ABCXYZ-dc01.osi-snt.net https://127.0.0.1:8089/servicesNS/nobody/system/authentication/providers/LDAP/Splunk%20Admins 1 20 1 389 displayname 1000 LEW-SPLK-SH01 15 Splunk Admins 1969-12-31T19:00:00-05:00 DC=ABC-XYZ,DC=NET samaccountname
0 0 nobody CN=s-splunk.user,OU=Users ABC-XYZ.net,DC=ABC-XYZ,DC=NET ******** utf8 0 system 1 1 0 nobody * * 1 system mail CN=SplunkReaders,OU=SECURITY OPERATIONS GROUPS,OU=SECURITY OPERATIONS,DC=ABC-XYZ,DC=NET dn member cn lew-ABCXYZ-dc01.osi-snt.net https://127.0.0.1:8089/servicesNS/nobody/system/authentication/providers/LDAP/Splunk%20Readers 1 20 2 389 displayname 1000 LEW-SPLK-SH01 15 Splunk Readers 1969-12-31T19:00:00-05:00 DC=ABC-XYZ,DC=NET samaccountname

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...