Splunk Search

Is there a search or other way to easily list the indexes I am permissioned to search?

juniormint
Communicator

I have a multiple index system where some roles can search some indexes and other roles other indexes. My personal user has several roles with access to multiple indexes. There are enough of them that I sometimes want to review the list for reference.

Is there a search or some other nice way to the list of indexes I am allowed to search?

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

For a specific user, the easiest and fastest is:

| eventcount summarize=f index=_* index=* | stats count by index

Every user can run this from search, so you don't need access to rest. On the other hand, you can't get this information for another user using this method. It will include indexes that are empty as well.

View solution in original post

juniormint
Communicator

@gkanapathy gave what seems to me the simplest, performant answer, so thanks! Love all the other answers too with diff takes on it.

0 Karma

kristian_kolb
Ultra Champion

juniormint. you have a few different answers to choose from. Did either one work especially well for you?

/k

0 Karma

lukejadamec
Super Champion

All of these answers are pretty useless without permissions some other Splunk magic.

This search will give you a list of indexes you have permissions to search, but it will take a few minutes to run, and will only capture indexes that were active in the time frame of the search.
The best part is, it will for Anyone with permission to Search.

index="*" OR index="_*" | dedup index | table index
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

For a specific user, the easiest and fastest is:

| eventcount summarize=f index=_* index=* | stats count by index

Every user can run this from search, so you don't need access to rest. On the other hand, you can't get this information for another user using this method. It will include indexes that are empty as well.

View solution in original post

juniormint
Communicator

For my purposes this seems like the simplest and it is very quick to return. Thanks! @gkanapathy

0 Karma

lukejadamec
Super Champion

Thanks, I guess I figured the pipe in the beginning was assuming a preceding string. It was much faster than my search.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

And just to be clear, the eventcount command does not require any special permissions. It is the same command that was used on the Splunk 4.x and 5.x pages to display the total numbers of events on the search app overview page.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I enter it exactly as is in the search bar. It has worked for me in every version from 4.1 or so till now.

0 Karma

lukejadamec
Super Champion

How do you get this search to work?
I'm running Splunk 5.0.2 as admin and when I run this search it yields No Results.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

I'll do one better, I do this everyday, so when I have to check I can just "|inputlookup user_authorizations.csv | search username=$USER". This might not work if you don't have permissions on the endpoints.

| rest /services/authentication/users
| rename title AS username roles AS role
| mvexpand role
| fields realname username role
| join type=outer role [
rest /services/authorization/roles
| rename title AS role | eval indexes=mvjoin(srchIndexesAllowed," ; ")
| fields role indexes]
| table realname username role indexes | outputlookup user_authorizations.csv

alacercogitatus
SplunkTrust
SplunkTrust

please accept the answer that has answered your question most completely.

0 Karma

kristian_kolb
Ultra Champion

I guess that going into the manager is not the answer you want. 🙂

| rest /services/admin/roles | table title, srchIndexesAllowed | rename title as role

could be what you want? I don't think very restricted roles can perform this search, but the ordinary user role can find out it's permissions.

/K

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!