I'm now using the parameter roles to filter out better which are the users that are supposed to get an email:
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | where roles = "can_login_user" | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /, /g"
If I could check for its LDAP groups (at AD), I would solve my problem. Can Splunk do that?
... View more