Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

List all created users with their roles.

omateusz
New Member
‎02-28-2020 02:41 AM

Hi,

I would like to see roles of created users not roles of user which created account, is there a way to to this? 

index=_audit action=edit_user operation=create 
| eval timestamp_formated=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
| convert timeformat="%d/%b/%Y" ctime(timestamp_formated)
| eval timestamp = strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| join user 
    [| rest /services/authentication/users 
    | fields title roles 
    | rename title AS user ]
| rename object as created_user, user as created_by
| stats  values(roles) as user_roles values(timestamp) as timestamp values(host) as created_on by timestamp_formated created_user created_by 
| sort - timestamp
| fields - timestamp
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎02-29-2020 02:16 PM

Here is how we audit and figure out who is able to do what and slowly remove those who don't need it.

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-29-2020 02:14 PM

You're joining on the field user, which is the creating user in your audit logs - the created user is in the field object.

Change your rename to AS object inside the join, and join on object.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...