Splunk Search

Report on users & roles

chris
Motivator

Is there an easy way I can list & export all users that have a certain role or that have access to a certain index or a certain capability?

It would be nice if I could do something like:

| metadata type=users

or
index=_users role=xy   

or any other method would be ok

Tags (3)
0 Karma

Ant1D
Motivator

The following search will show you what capabilities each user has used within the timeframe that you set:

index=_audit user=* action=* | dedup user action | stats list(action) AS actions by user

chris
Motivator

Thanks for looking into this.

0 Karma

Ant1D
Motivator

I had a look at this earlier today. I haven't had much luck. There doesn't appear to be a straightforward way of achieving this format of mapping.

0 Karma

Ant1D
Motivator

Makes sense. I will have a go when I get a minute.

0 Karma

chris
Motivator

Thank you for your answer. It kind of helps. I guess the real requirement behind my question is the following: The owner of some data that is in Splunk wants to know who had access to "his" data (=index) at a specific point in time and if the person has read only or also delete priviledges & what priviledges have been used. So you answer helps in showing what priviledges have been used. But I would also like to have a index to role to user mapping ... does that make sense?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...