User Info Dashboard – Using REST

I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!

<dashboard>
      <label>REST API: access control</label>
      <row>
        <panel>
          <single>
            <title>You are</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="drilldown">none</option>
          </single>
        </panel>
        <panel>
          <table>
            <title>And you have these permissions</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">5</option>
          </table>
        </panel>
      </row>
      <row>
        <panel>
          <table>
            <title>Active users (sessions)</title>
            <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">10</option>
          </table>
        </panel>
        <panel>
          <table>
            <title>All users (limited to 100)</title>
            <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            </table>
        </panel>
        <panel>
          <chart>
            <title>Users by authentication system</title>
            <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
            <option name="charting.axisTitleX.visibility">visible</option>
            <option name="charting.axisTitleY.visibility">visible</option>
            <option name="charting.axisTitleY2.visibility">visible</option>
            <option name="charting.axisX.scale">linear</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.axisY2.enabled">false</option>
            <option name="charting.axisY2.scale">inherit</option>
            <option name="charting.chart">pie</option>
            <option name="charting.chart.nullValueMode">gaps</option>
            <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
            <option name="charting.chart.stackMode">default</option>
            <option name="charting.chart.style">shiny</option>
            <option name="charting.drilldown">all</option>
            <option name="charting.layout.splitSeries">0</option>
            <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
            <option name="charting.legend.placement">right</option>
          </chart>
        </panel>
      </row>
    </dashboard>
Share This:

Leave A Comment?