All indexes not explicitly granted to a role

| rest /servicesNS/-/-/data/indexes count=0
 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
 | fillnull
 | where internal=0 AND disabled=0 AND readonly=0
 | fields title
 | rename title as index
 | join index type=left
 [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title,srchIndexesAllowed
 | rename srchIndexesAllowed as index title as role
 | mvexpand index
 | where NOT match(index,".*\*.*") ]
 | search NOT role=*
 | fields index


I found this at:
Credit goes to acharlieh!

Share This:

Leave A Comment?