Splunk Search

REST call in subsearch

brdr
Contributor

I have this search provided by @somesoni2. I making a simple change to it so it provides a list of indexes that a user has access to. In order to do this you must search via REST the user, role, and indexes data.

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role] | dedup index_name | table index_name

In the last REST subsearch | rest /services/authentication/users all i'm trying to do is add *| rest /services/authentication/users | search title="a name goes here" **. By putting a name in I just want to get back a single user. I'm building a dashboard that will allow a user to query what index a user can access based on their roles. If I pull out this subsearch and run separately it works just fine.

Thx

0 Karma
1 Solution

koshyk
Super Champion

Please try like..

| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
 | join type=left Role [| rest /services/authorization/roles splunk_server="local" 
 | table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
 | rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
 | rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
 | rename title as Role]

I've put a filter of search User="admin" in the 1st line, may be you can try your own

View solution in original post

0 Karma

brdr
Contributor

awesome koshyk! thank you.

0 Karma

koshyk
Super Champion

Please try like..

| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
 | join type=left Role [| rest /services/authorization/roles splunk_server="local" 
 | table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
 | rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
 | rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
 | rename title as Role]

I've put a filter of search User="admin" in the 1st line, may be you can try your own

View solution in original post

0 Karma