Hi,
Is there a way to get a list of all accounts across a SHC?
To add to what @MuS has stated
index=_audit action=add|rex field=_raw "/etc/users/(?P\w+)/" (Select All time)
this will give you the list of user/account name irrespective of the search head they are created on (I know we all have seen one rogue useraccount :)). Limitation is it will just give me the userids
Hope you can expand this and get what you want.
Thanks,
Raghav
We use the following - | rest services/authentication/users | where roles="XXX" | table title, email, realname
We use a combination of LDAP (users) and local accounts (services - api). Looking for searches across all time isn't realistic - there isn't a rest call to get all this info across the cluster?
As said, if you're on Splunk 6.4.x all local users are replicated within the SHC.
In regards of the LDAP users you can use the rest call to /services/authentication/users
.
That's just it though - they aren't replicating. So I want to use this to provide input to support, rather than login to each SH and run it.
Is anything replicated in the SHC at all - Like dashboards and changed saved searches?
Unfortunately, if a user is created on a SHC member locally, that search doesn't find that user.Also,
|rest /services/authentication/users is nothing but localhost/services/authentication/users so it would display only users from the search head you ran it.
Thanks,
Raghav
Look, a situation in which a user is created on a SHC member locally is against any best practices. We need to put safeguards against such a use case.
@ddrillic, sorry but this is wrong! see docs http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/AdduserstotheSHC
To add users to the search head cluster, you can use any of the available authentication methods:
Splunk Enterprise built-in authentication, LDAP, SAML, or scripted authentication.
and
Use Splunk Enterprise built-in authentication
For Splunk Enterprise built-in authentication, you can use Splunk Web or the CLI to add users and map roles. Perform the operation on any one of the cluster members. The cluster then automatically distributes the changes to all members by replicating the $SPLUNK_HOME/etc/passwd file.
Thank you MuS for the correction.
Hi a212830,
if youre on Splunk 6.4.x, use local user authentication and have OS level access look at the file
$SPLUNK_HOME/etc/passwd` since this file will be replicated in the SHC. You can also use the following rest search:
| rest /services/admin/users | table title
Hope this helps ...
cheers, MuS