Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I search a list of users with all the roles and indexes assigned?

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 11:37 AM

I found this search

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

But I have a can_delete role, but it is not listed

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 02:37 PM

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 02:37 PM

Your can_delete role is likely not associated with any index, so a left join starting with your indexes isn't going to show it.

Try this:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+) | stats values(*) as * by user

Now with expanded _* and * indexes:

| rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| fillnull value=" "
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:46 PM

thanks Martin, It worked now :<). You are the best

0 Karma
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:37 PM

Thanks! Your worked partially. It showed all the role but not all indexes. It does not showed index like _fishbucket, _audit , _blocksignature , _introspection and user created indexes

0 Karma
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:37 PM

Yes , I want it to expand and list all indexes. From the search I posted . It showed like this
index_name Role User
_audit admin xyz
_blocksignature admin xyz
_internal admin xyz
_internal new_user_role xyz
_introspection admin xyz
_thefishbucket admin xyz
christine admin xyz
christine test_role xyz
christine_new admin xyz

but I do not have can_delete role

your query looks like this
user roles srchIndexesAllowed srchIndexesDefault
xyz admin * _* main os

0 Karma
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:37 PM

Thanks Martin! I try the new update search. Now it does not list the can_delete role when combined the search I posted with your search

0 Karma
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:37 PM

Martin,
This new one you post, does not show the can_delete role, it showed all index and other roles 

 | rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
| join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
| makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
| mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
| join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
| join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
| stats values(*) as * by user
| foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
| fields - Indexes*
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 02:37 PM

So... you want to expand * and _* into a list of all non-internal / internal indexes?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 02:37 PM

I've added a slightly more verbose search that will expand * and _* into a list of indexes, give that a shot.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 02:37 PM

I see... minor issue with mvexpand and null values, I've replaced the search.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 02:37 PM

Don't combine searches, just take the one from my answer.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-30-2015 11:57 AM

You can try this:

| rest /services/authentication/users |rename title as User, roles as Role |stats count by  User Role |fields - count| appendcols [ |rest /services/authorization/roles |table title srchIndexesAllowed|rename title as Role]|stats values(Role) as Role values(srchIndexesAllowed) as Indexes by User
0 Karma
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 12:29 PM

your search showed like this

User Role Indexes
admin admin * _*

does not showed all indexes name

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-30-2015 12:46 PM

It won't. That's not how the data is returned. If the role has access to individual indexes, they will show. It is straight from the manager gui page.

0 Karma
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 12:04 PM

But your search only showed the admin role and indexes only show (_*) and not all the indexes

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-30-2015 12:24 PM

Try it again. If you see *, that means All Indexes.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...