All indexes not explicitly granted to a role

REST
ItsJohnLocke
You already voted!

| rest /servicesNS/-/-/data/indexes count=0
 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
 | fillnull
 | where internal=0 AND disabled=0 AND readonly=0
 | fields title
 | rename title as index
 | join index type=left
 [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title,srchIndexesAllowed
 | rename srchIndexesAllowed as index title as role
 | mvexpand index
 | where NOT match(index,".*\*.*") ]
 | search NOT role=*
 | fields index

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376
Credit goes to acharlieh!

Splunk Query Repository

All indexes not explicitly granted to a role

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

All indexes not explicitly granted to a role

Related Queries

Get Fields Defined for Multiple KVStore Collections

REST Call for a list of Alert actions (Webhook_sms or Email or notable or ..)

REST Call for a get details about Alert cron_schedules

Leave A Comment? Click here to cancel reply.