Splunk Search

Query to find out users belong to a particular role

kteng2024
Path Finder

Is there any query to find out users belong to a particular role . For example , if i have a role called "least_role" , how can i checkout how many users in splunk are having this role and their names .

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

| rest /services/authentication/users splunk_server=local 
| fields roles title realname 
| rename title as username 
| search roles=admin

Change the value of roles in the last bit to the role you want to search on.

If you want a table of all roles and users assigned to each role, try this:

| rest /services/authentication/users splunk_server=local 
| fields roles title realname 
| rename title as username 
| sort roles

View solution in original post

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

| rest /services/authentication/users splunk_server=local 
| fields roles title realname 
| rename title as username 
| search roles=admin

Change the value of roles in the last bit to the role you want to search on.

If you want a table of all roles and users assigned to each role, try this:

| rest /services/authentication/users splunk_server=local 
| fields roles title realname 
| rename title as username 
| sort roles

gjanders
SplunkTrust
SplunkTrust

It would be worth mentioning that the query shows you users with that role who have logged in, not users who are in an LDAP system with that role or similar.

I'm also assuming the userlist in Splunk from recent logins is limited in some ways...

gjanders
SplunkTrust
SplunkTrust

When using ldap this shows cached users which has a limit...you can increase the limit in splunk config if you have a large user base.

Furthermore enable paging is required if you cannot obtain all users from a single query, available in 7.3 and above 

 

With the right settings I can see over 3000 users after restart 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...