We are having multiple roles created in Splunk restricted by their index and users will be added to this role via AD group and we use LDAP method for authentication.  Below is authentication.conf [authentication] authType = LDAP authSettings = uk_ldap_auth [uk_ldap_auth] SSLEnabled = 1 bindDN = CN=Infodir-HBEU-INFSLK,OU=Service Accounts,DC=InfoDir,DC=Prod,DC=FED groupBaseDN = OU=Splunk Network Log Analysis UK,OU=Applications,OU=Groups,DC=Infodir,DC=Prod,DC=FED groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = aa-lds-prod.uk.fed port = 3269 userBaseDN = ou=HSBCPeople,dc=InfoDir,dc=Prod,dc=FED userNameAttribute = employeeid realNameAttribute = displayname emailAttribute = mail [roleMap_uk_ldap_auth] <roles mapped with AD group created> Checked this post - https://community.splunk.com/t5/Security/How-can-I-generate-a-list-of-users-and-assigned-roles/m-p/194811 and try to give the same command -  |rest /services/authentication/users splunk_server=local |fields title roles realname |rename title as userName|rename realname as Name Given this in SH search, but hardly returning only 5 results but we have nearly 100 roles created. Even given splunk_server=*, still the same result. I am having admin role as well and I hope I have the needed capabilities. Not sure what am I missing here? Any thoughts?   ... View more

I created a summary index to call it in dashboard because it has so much data and need to run for larger time frames. Configured summary index in this way - <my search query> ---- ---- ---- | eval log_datetime=strftime(_time, "%Y-%m-%d %H:%M:%S") | rename log_datetime AS "Time (UTC)" |table _time, "Time (UTC)", <wanted fields> | collect index=sony_summary Now calling it in one of my dashboard panel in this way -  index=sony_summary sourcetype=stash |search <passed drop-down tokens> |sort 0 -"Time (UTC)" | table "Support ID","Time (UTC)", _time --------  Now my requirement is I don't want users to see this summary index data. So I have created a drilldown and linked to different search as below. Whenever they click on any field value in table, new search will be opened with clicked support_id   <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <!-- Drilldown Configuration --> <!-- Enable row-level drilldown --> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$time_range.earliest$&amp;latest=$time_range.latest</link> </drilldown>   Now when I click on dashboard panel's field, it is opening with expected support_id as expected, but it is opening with token time range. I am expecting that this should return the particular time range at what time event indexed as per Time (UTC) or _time. Example - An event has support ID with time 07:00 am, when I click on it it should open for 7 am, but it is taking token time range. When I checked in chatgpt, it given in following one and modified it in this way. <table id="myTable"> <search> <query>index=sony_summary sourcetype=stash |search <passed drop-down tokens> |sort 0 -"Time (UTC)" |eval epoch_time=_time, epoch_plus60=_time+60 (added this now) | table "Support ID","Time (UTC)", _time -------- , epoch_time, epoch_plus60</query> </search> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <!-- Drilldown Configuration --> <!-- Enable row-level drilldown --> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank">/app/search/search?q=search index=sony* sourcetype=sony_logs support_id="$click.value$"&amp;earliest=$row.epoch_time$&amp;latest=$row.epoch_plus60</link> </drilldown> Now this is working fine and time range is also coming what I clicked on. but here the issue is I don't want these two new fields - epoch_time, epoch_plus60 to be visible in dashboard. These should get hided completely but still drilldown should work as expected. What to do here? Please suggest me. Am I missing anything? Even if I keep those fields in the last in panel, still my manager said hide it but it should work as expected. ... View more