Hi @Varun18 Its not easy to get a list of all the usernames, but passwords is easy with the /services/storage/passwords endpoint. However you might have some success with the following search I've put together. It uses a map command so be careful - it gathers the passwords then attempts to reconstruct the stanza from the config file it originated in! | rest /services/storage/passwords
| search clear_password!="``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``"
| table clear_password realm username
| rex field=realm ".+\#(?<app>[^\#]+)\#(?<configPath>.+)"
| table app configPath username *
| rex field=username "(?<stripUsername>[^\`]+)"
| stats latest(*) AS *, list(clear_password) as concat_clear_password by configPath username app
| eval restPath="/servicesNS/-/-/".configPath."/".stripUsername
| map maxsearches=100 search="
| rest $restPath$
| foreach * [| eval secretField=mvappend(secretField,IF('<<FIELD>>'==\"******\",\"<<FIELD>>\",null()))]
| eval clear_password=\"$concat_clear_password$\"
| eval configPath=\"$configPath$\"
| eval app=\"$app$\"
| fields - eai:* author disabled published updated splunk_server
"
| rex field=configPath "configs/conf-(?<configFileName>[^\/]+)"
| eval isJson=IF(json_valid(clear_password),"isJson","NotJson")
| tojson
| eval jsonKeys=json_array_to_mv(json_keys(_raw))
| eval stanza="==".app."/".configFileName.".conf==
[".title."]
"
| foreach jsonKeys mode=multivalue
[| eval stanza=stanza.IF(<<ITEM>> IN ("id","secretField","title","configFileName","configPath","isJson","clear_password","app"),"",<<ITEM>>."=".coalesce(json_extract(clear_password,<<ITEM>>),json_extract(_raw,<<ITEM>>))."
")]
| table stanza 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
... View more
