1) The following search will return a list of all known users as well as a semicolon-separated list of the indexes they have access to:
| rest /services/authentication/users
| rename title AS username roles AS role
| mvexpand role
| fields realname username role
| join type=outer role [
rest /services/authorization/roles
| rename title AS role | eval indexes=mvjoin(srchIndexesAllowed," ; ")
| fields role indexes]
| table realname username role indexes
A few caveats:
2) This is a rather difficult mapping to establish as search strings are recorded without an expanded list of accessed indexes in the _audit events.
1) The following search will return a list of all known users as well as a semicolon-separated list of the indexes they have access to:
| rest /services/authentication/users
| rename title AS username roles AS role
| mvexpand role
| fields realname username role
| join type=outer role [
rest /services/authorization/roles
| rename title AS role | eval indexes=mvjoin(srchIndexesAllowed," ; ")
| fields role indexes]
| table realname username role indexes
A few caveats:
2) This is a rather difficult mapping to establish as search strings are recorded without an expanded list of accessed indexes in the _audit events.
Great thanks - i wonder why this isn't working though:
|rest /services/authentication/users splunk_server=local
|fields title roles realname
| mvexpand roles
| append [| rest /services/authorization/roles | table title srchIndexesAllowed
| rename title as roles
| mvexpand srchIndexesAllowed]
| stats list(*) as * by title, realname
Once i do the stats list i loos the srchIndexesAllowed column- any ideas?
I have the same question. I would be interested to know if the past two years has brought around a way to improve this answer?
A way to get the same information without using a rest call that only the admin can do.
Why not put the results in a csv?
Scheduled search could take care of this. The csv access can then be set to whatever you want.
And perhaps a way to expand the wildcards in indexes.