Reporting

How to list my Splunk users and their email addresses?

the_wolverine
Champion

We're using ldap authentication. How to get a list of users and their email addresses from Splunk?

Labels (1)
1 Solution

the_wolverine
Champion

Try:
| rest /services/authentication/users splunk_server=local | table realname, email

View solution in original post

bandit
Motivator

Thanks @anthonymelita - @vnguyen46 - it seems it gets broken when I try to export the code from the simple xml source code and post here as code. I appologize for the incovenience.

Sample of query
alt text

Sample of source code
alt text

0 Karma

bandit
Motivator

Splunk dashboard of users with role capabilities and index access.

<form>
  <label>User List</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?<user>.+)$"
| table user
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="real_name" searchWhenChanged="true">
      <label>Real Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>realname</fieldForLabel>
      <fieldForValue>realname</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup realname
| table realname
| sort realname</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="real_name_pattern" searchWhenChanged="true">
      <label>Real Name Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="email" searchWhenChanged="true">
      <label>Email</label>
      <choice value="*">All</choice>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>email</fieldForValue>
      <default>*</default>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup email
| table email
| sort email</query>
      </search>
    </input>
    <input type="text" token="email_pattern" searchWhenChanged="true">
      <label>Email Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup type
| table type
| sort type</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="role" searchWhenChanged="true">
      <label>Role</label>
      <choice value="*">All</choice>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="role_pattern" searchWhenChanged="true">
      <label>Role Pattern</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>User Accounts</title>
      <table>
        <title>(click row for specific user detail)</title>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?<user>.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$) 
| sort -type user</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">true</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <unset token="user"></unset>
          <set token="user">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Capabilities</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?<user>.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title capabilities imported_roles imported_capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities imported_roles imported_capabilities ] 
| table role capabilities imported_roles imported_capabilities 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Index Access</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?<user>.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
    | dedup title 
    | rename title as role 
    | table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed ] 
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

vnguyen46
Contributor

It'd be helpful if you can give a hint on how to import this code into Splunk SH to create the dashboard. I copied and pasted as source, it said 16 errors and couldn't save it.

Thanks,

0 Karma

anthonymelita
Contributor

@vnguyen46 There are several lines with regex extractions. You need to replace the angle brackets in them with html escapes like:

?&lt;user&gt;

ddrillic
Ultra Champion

Gorgeous stuff as usual @rob_jordan - your visios are legendary ; -)

bandit
Motivator

@ddrillic thanks for the kind words 🙂

0 Karma

raswini
New Member

How to get a list of users with ID and their email addresses from Splunk?

0 Karma

the_wolverine
Champion

Try:
| rest /services/authentication/users splunk_server=local | table realname, email

chrispounds
Explorer

When i implement the above search, it only seems to tell me i'm the only one logged in, same when another user runs the search, it reports that they are logged in, but no one else.Is this correct behaviour?

0 Karma

bandit
Motivator

You'll need an account with the admin or sc_admin(Splunk cloud) role. Other accounts will only see their own info.

chrispounds
Explorer

Makes sense, thank you Rob 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...