I have a linux box with a universal forwarder sending linux data to my Splunk enterprise. I am trying to detect when a user creates another user by running useradd User2 Below is my search string: index=main host=myhost useradd This gives me the logs I want but how do I know the username of the user that created the new user? For example. User1 creates User2....The logs show that User2 was created but it only shows the uid of User1 who did the creating and it does not tell me the actual username which should be User1. How do I get the username of the user who creates new users?? ... View more

I have the latest version of Linux Auditd, version 2.0.5. I go to the configuration tab in the linux auditd app and click submit to run the dashboard searches so it will learn all the posix users. I have recently deleted some users and now the uids of existing users are matched with deleted users. For example, my current existing user is tuser and its uid is 1007 but now when I search index=* host=MY_HOST auid=1007 the field user in the "Interesting Fields section" on the Splunk web says jonny NOT tuser and that is because I recently deleted a user named jonny and create tuser and then refreshed the linux auditd dashboard to learn to posix users and now its confused. I have seen others talking about this problem and people have said this issue was fixed in the latest version but I am having problems with it WITH the latest version of linux auditd. Its really messing up my searches that are relying on the user field. Who can help me?? ... View more

I am trying to use stats command to display data organized by My_Field where My_Field is populated by running lookup my_lookup_script username AS user Here's the example of the search string: | stats STUFF by My_Field | lookup my_lookup_script username AS user My problem is that My_Field is not populated for the stats command to use because the lookup command happens after the stats command. I tried simply running the lookup BEFORE the stats command but the lookup needs to run at the end of the search because if it does not then the lookup does not work properly. If the lookup runs before the stats command It gets inconsistent values for user . Seems like the lookup has to be at the end so the whole search can finish running and have the correct data in user for the script to use. How can I have the lookup run after that stats command to where the stats command can use the My_Field ... View more

I have splunk enterprise running on a linux box and I also have splunk universal forwarder running on a second linux box. How can I write a search that will display all currently existing users on my universal forwarder? I'm not talking about showing logs that are associated with all users...I simply want a list of all users on my forwarder that exist at the time the search was ran. EDITED: For example....If I login to my linux box that has the universal forwarder on it and run adduser user1, adduser user2, adduser user3, THEN on my Splunk enterprise I could run my search string and it would list user1, user2, user3 (given that those were the only three users that exist on my linux universal forwarder). How can I accomplish this? What data do I need to get from my forwarder? ... View more

I am confused about something. I have seen people using this to get a list of users on a system: rest /services/authentication/users splunk_server=local But If i do a search like this: index=* user=* | stats count by user I also see users listed in the "user" field under "interesting fields" The user names in the results of both of these searches are different. So my question is, what is the difference between the results of these searches which both seems to give a some list of users on the system.? ... View more

I need to create a search that can retrieve a list of privileged group members from my LDAP server so I can then use that list in my search string. For example, if I wanted to list all users who are or are not privileged group members I could say something like: index=* user=* | stats count by user (EXCLUDING ALL OTHER USERS IN THE LIST OF LDAP PRIVILEGED GROUP MEMBERS I RETRIEVED) I have looked into trying to use a external scripted lookup that will connect to my LDAP and do a query but no luck yet. I am also seeing some answers that say to use something like this: | rest /services/authentication/users splunk_server=local | table realname no idea what exactly that does or what/where /services/authentication/users is. How can I accomplish this? ... View more