List All Splunk Users & Associated Roles

The following Splunk query will show a table of all users and their roles:

| rest /services/authentication/users | stats values(roles) as Roles by user

*Admin Notes*
I’ve found the following query to work better in my environment:

| rest /services/authentication/users | stats values(roles) as Roles by title
Share This:

Comments

  1. William Triest

    You really should add a splunk_server=local argument to the rest call in most cases. Typically when you are running this search, it will be on a search head whose search peers will be indexers. In those cases, it is the search head who determines permissions in this case, so you only need to query the search head and thus using splunk_server=local will not only help speed up the search, but it will eliminate potentially incorrect information.

    The exceptions would be if you have a search head whose search peers are the search heads. Traditionally this would have been done in specifically for use cases like this when you have an environment with multiple search head environments (e.g. each search head cluster would count as an environment as would any stand alone search heads). With federated search, a similar situation would occur.

Leave A Comment?