Splunk Search

Need help creating search to list all existing users on server.

Explorer

I am confused about something. I have seen people using this to get a list of users on a system:

rest /services/authentication/users splunk_server=local

But If i do a search like this:

index=* user=* | stats count by user

I also see users listed in the "user" field under "interesting fields"
The user names in the results of both of these searches are different. So my question is, what is the difference between the results of these searches which both seems to give a some list of users on the system.?

0 Karma

SplunkTrust
SplunkTrust

try and match the rest search to" index = _audit user=*
when searching index=* its against the data indexes and not the splunk internal indexes so maybe users are on windows or nix or whatever.
hope it helps

0 Karma

Explorer

oh ok. I think I am wondering what is the difference between the data indexes vs splunk internal indexes?

0 Karma

SplunkTrust
SplunkTrust

splunk data indexes holds all the data that is being sent to splunk from all different data sources.
splunk internal indexes (starts with an underscore "_") _internal, _audit, and more, holds data that splunk generates about itself, its own operation, access, etc.

0 Karma

Explorer

I see. So the users that get listed from index = _audit user=* are users on the splunk web(Splunk enterprise) and then users that are listed from index=* user=* | stats count by user are users on the forwarders that are sending data to the splunk data indexes?

I need the search to list all users on my forwarder. I can use index=* user=* | stats count by user which shows the count of logs organized by all users but I if I were to delete one of the users it would still show that deleted user because its looking at the all logs. I need my search to be able to list users that current exist on the forwarder. Is it possible to search some kind of data on my forwarder that shows all current existing users?

0 Karma

SplunkTrust
SplunkTrust

if you have the data, everything is possible,
i suggest to open a new question, title may be "help finding all users on my system"
try and describe the data you have in Splunk, is it windows? linux? other?
how do you capture the unique values for users?
it can be something like:... | stats values(user) as users | mvexpand users
or ... | dedup user | table user
pleanty of ways to achieve

0 Karma