Splunk Enterprise

Users with multiple roles - effective settings for search Disk Usage

kozanic_mg
Explorer

Hi All,

We are trying to organise some monitoring / Alerting for users and search disk usage and I know SplunkAdmins app has some stuff, but we need something a little different.

What I need atm is a way to determine a users effective settings as most users have at least 2 or more roles and I haven't found any clear way to determine what a given users allowance is to be able to configure an alert against.

Not sure if I have just missed something simple?

Hoping someone out there might have some suggestions.

Thanks in advance!

Labels (2)
0 Karma
1 Solution

kozanic_mg
Explorer

Have managed to work out this report which give me what I need: 

| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv

View solution in original post

0 Karma

kozanic_mg
Explorer

Have managed to work out this report which give me what I need: 

| rest /services/authentication/users splunk_server=local
| fields title roles
| rename title as username
| mvexpand roles
| search roles IN (<Add role list here if you have limited number that provide functional access - or remove this like if you need to search all roles>)
| join type=left roles
[| rest /services/authorization/roles splunk_server=*search*
| rename title as roles
| table roles srchDiskQuota]
| sort username -srchDiskQuota
| eval CaptureDate = now()
| table username, srchDiskQuota, roles, CaptureDate
| inputlookup append=true ops_usersDiskQuota.csv
| dedup username
| outputlookup override_if_empty=false ops_usersDiskQuota.csv

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!