thank you so much alonsocaio.

the above code is working.

Glad it worked for you!

This will not give you users who have accounts on Splunk.
I think you have misunderstood the question.

Anyway, I`m gonna try some queries for your approach to this question. Maybe It is gonna be useful one day.

I am looking AD User Account list only.

the above code is working for me.

Oh, maybe I misunderstood the question!!!

I thought you wanted LDAP users who had access to Splunk, not just all AD users from your domain.

Glad you found a solution!

please give me the full code.

I mean in a browser go to http(s)://your_splunk_search_head:8000/en-GB/manager/search/authentication/users

Thanks nickhillscpl,

but I dont know in the browser also listing only Splunk console users list.

All Active Directory user accounts count is 480,

listing only 13 user account, If i use " https://172.16.x.x:8000/en-GB/manager/search/authentication/users "

Is there any other method for listing All user accounts.

So this sounds like the Search head you are running the query against only knows about the local users, which is why the management UI and the rest api is showing you a few of them.

Are you sure the missing users are LDAP, and not SAML?

Yes, missing users are LDAP.

Please confirm " http(s)://your_splunk_search_head:8000" , is this splunk console IP? which i use to login splunk console?

Yes, this should be the address of the splunk server you access the user interface through.

then i am using correct. why listing only few accounts and these user accounts are able to access splunk console, mean, listing accounts are able access "https://172.16.x.x:8000/en-US/account/login "

Can you post the contents of $SPLUNK_HOME/etc/sytem/local/authentication.conf
(remove anything sensitive)

sorry, I have the access only for console. I believe it would run on linux.

If you run a splunk search with this: | rest splunk_server=local /servicesNS/-/-/authentication/providers/LDAP |search disabled=0 what do you get back?
(remove anything sensitive)

I did run the above code on search, below is the result. copy below result and past in excel. You will see the result in friendly.

SSLEnabled anonymous_referrals author bindDN bindDNpassword charset disabled eai:acl.app eai:acl.can_list eai:acl.can_write eai:acl.modifiable eai:acl.owner eai:acl.perms.read eai:acl.perms.write eai:acl.removable eai:acl.sharing emailAttribute groupBaseDN groupMappingAttribute groupMemberAttribute groupNameAttribute host id nestedGroups network_timeout order port published realNameAttribute sizelimit splunk_server timelimit title updated userBaseDN userNameAttribute
0 0 nobody CN=s-splunk.user,OU=Users ABC-XYZ.net,DC=ABC-XYZ,DC=NET ******** utf8 0 system 1 1 0 nobody * * 1 system mail CN=SplunkAdmins,OU=SECURITY OPERATIONS GROUPS,OU=SECURITY OPERATIONS,DC=ABC-XYZ,DC=NET dn member cn lew-ABCXYZ-dc01.osi-snt.net https://127.0.0.1:8089/servicesNS/nobody/system/authentication/providers/LDAP/Splunk%20Admins 1 20 1 389 displayname 1000 LEW-SPLK-SH01 15 Splunk Admins 1969-12-31T19:00:00-05:00 DC=ABC-XYZ,DC=NET samaccountname
0 0 nobody CN=s-splunk.user,OU=Users ABC-XYZ.net,DC=ABC-XYZ,DC=NET ******** utf8 0 system 1 1 0 nobody * * 1 system mail CN=SplunkReaders,OU=SECURITY OPERATIONS GROUPS,OU=SECURITY OPERATIONS,DC=ABC-XYZ,DC=NET dn member cn lew-ABCXYZ-dc01.osi-snt.net https://127.0.0.1:8089/servicesNS/nobody/system/authentication/providers/LDAP/Splunk%20Readers 1 20 2 389 displayname 1000 LEW-SPLK-SH01 15 Splunk Readers 1969-12-31T19:00:00-05:00 DC=ABC-XYZ,DC=NET samaccountname