- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
packet_hunter
Contributor
02-09-2017
02:32 PM
is there a way to search who has access to an index without having to dig thru the access controls, roles and users?
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-09-2017
03:14 PM
Not sure if this is what you're looking for. Below query gives the mapping of index with role which has access.
| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig)
This query extends the above solution and adds the users as well, so you get user, corresponding role and accessible indexes.
| rest /services/authentication/users splunk_server=local | table title roles | rename title as user | rename roles as title | mvexpand title | join type=left max=0 title [| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-09-2017
03:14 PM
Not sure if this is what you're looking for. Below query gives the mapping of index with role which has access.
| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig)
This query extends the above solution and adds the users as well, so you get user, corresponding role and accessible indexes.
| rest /services/authentication/users splunk_server=local | table title roles | rename title as user | rename roles as title | mvexpand title | join type=left max=0 title [| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
packet_hunter
Contributor
02-09-2017
03:58 PM
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chris
Motivator
11-19-2019
12:34 AM
Wow thats a clever search, thank you
