Splunk Search

Report on users & roles

chris
Motivator

Is there an easy way I can list & export all users that have a certain role or that have access to a certain index or a certain capability?

It would be nice if I could do something like:

| metadata type=users

or
index=_users role=xy   

or any other method would be ok

Tags (3)
0 Karma

Ant1D
Motivator

The following search will show you what capabilities each user has used within the timeframe that you set:

index=_audit user=* action=* | dedup user action | stats list(action) AS actions by user

chris
Motivator

Thanks for looking into this.

0 Karma

Ant1D
Motivator

I had a look at this earlier today. I haven't had much luck. There doesn't appear to be a straightforward way of achieving this format of mapping.

0 Karma

Ant1D
Motivator

Makes sense. I will have a go when I get a minute.

0 Karma

chris
Motivator

Thank you for your answer. It kind of helps. I guess the real requirement behind my question is the following: The owner of some data that is in Splunk wants to know who had access to "his" data (=index) at a specific point in time and if the person has read only or also delete priviledges & what priviledges have been used. So you answer helps in showing what priviledges have been used. But I would also like to have a index to role to user mapping ... does that make sense?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...