We're looking to create a search on Splunk admin users' logins. Currently I have a search which includes each admin user name, but I'm looking for a way to dynamically capture the members of the admin role. Is there a system lookup file or other index I can search to get a user's role?
My search so far:
index=_audit source=audittrail action="login attempt" info=succeeded user=<admin user login1> OR user=<admin user login2> OR ...| table _time user
Thanks.
I would recommend looking at the following rest endpoint:
/services/authentication/users
You can use the rest command to access it
I would recommend looking at the following rest endpoint:
/services/authentication/users
You can use the rest command to access it
Thanks - this worked:
index=_audit source=audittrail action="login attempt" info=succeeded
[|rest /services/authentication/users splunk_server=local | search roles=admin| fields title |rename title as user] | table _time user
You could use the search mentioned in the following answer to create a lookup.
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html