Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REST call in subsearch

brdr
Contributor
‎05-09-2019 11:07 AM

I have this search provided by @somesoni2. I making a simple change to it so it provides a list of indexes that a user has access to. In order to do this you must search via REST the user, role, and indexes data.

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role] | dedup index_name | table index_name

In the last REST subsearch | rest /services/authentication/users all i'm trying to do is add *| rest /services/authentication/users | search title="a name goes here" **. By putting a name in I just want to get back a single user. I'm building a dashboard that will allow a user to query what index a user can access based on their roles. If I pull out this subsearch and run separately it works just fine.

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-09-2019 01:39 PM

Please try like..

| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
 | join type=left Role [| rest /services/authorization/roles splunk_server="local" 
 | table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
 | rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
 | rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
 | rename title as Role]

I've put a filter of search User="admin" in the 1st line, may be you can try your own

View solution in original post

0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-09-2019 02:04 PM

awesome koshyk! thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-09-2019 01:39 PM

Please try like..

| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
 | join type=left Role [| rest /services/authorization/roles splunk_server="local" 
 | table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
 | rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
 | rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
 | rename title as Role]

I've put a filter of search User="admin" in the 1st line, may be you can try your own

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...