Reporting

Is there a system lookup file or index I can search to report on Splunk admin (role) logins?

rkeenan
Explorer

We're looking to create a search on Splunk admin users' logins. Currently I have a search which includes each admin user name, but I'm looking for a way to dynamically capture the members of the admin role. Is there a system lookup file or other index I can search to get a user's role?

My search so far:

index=_audit source=audittrail action="login attempt" info=succeeded user=<admin user login1> OR user=<admin user login2> OR ...| table _time user

Thanks.

0 Karma
1 Solution

ryanoconnor
Builder

I would recommend looking at the following rest endpoint:

/services/authentication/users

You can use the rest command to access it

View solution in original post

0 Karma

ryanoconnor
Builder

I would recommend looking at the following rest endpoint:

/services/authentication/users

You can use the rest command to access it

0 Karma

rkeenan
Explorer

Thanks - this worked:

index=_audit source=audittrail action="login attempt" info=succeeded 
[|rest /services/authentication/users splunk_server=local | search roles=admin| fields title |rename title as user] | table _time user
0 Karma

sk314
Builder

You could use the search mentioned in the following answer to create a lookup.

https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...