Here is what I could have a summary: 1. Splunk authentication (I call local settings) and all local users' login/password are stored at $SPLUNK_HOME$/etc/passwd file. After users login, their profiles will be located $SPLUNK_HOME$/etc/users/ directory. 2. This is a way that I use to manage the users because I am using radius authentication as mentioned above. I listed the links to download and configure below that I followed so you could do your lab. After completing the app installation and configuration, logging to SH > Click Settings > Add Data > Files & Directories ($SPLUNK_HOME$/etc/apps/radius_auth/local/user_info directory that will be monitored > follow the rest of the basic process. Download app: https://splunkbase.splunk.com/app/981/ Configuration the radius access: https://lukemurphey.net/projects/splunk-radius-auth/wiki/Install_and_Configuration (I could not show you my system snapshot because it is not the lab but if you have one, you could share it.)
... View more