Splunk Search

How to write a search to list roles and their capabilities in a Splunk environment?

srikanth1213
Path Finder

Hello Guys,

Can someone help me with a search to list the roles and their capabilities in a Splunk environment?

0 Karma
1 Solution

horsefez
SplunkTrust
SplunkTrust

Hello,

here is a solution for the roles and users from always awesome user "somesoni2"
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html

and with the roles and capabilities thing you are not far off searching with this command:

 | rest /services/authorization/roles

used those myself in the past to get reports about that

View solution in original post

bandit
Motivator

Dashboard which will list and compare role capabilities. (XML code below)
alt text

<form hideFilters="true">
  <label>Role Capabilities</label>
  <description>(select roles and capabilities to compare)</description>
  <fieldset submitButton="false">
    <input type="checkbox" token="role" searchWhenChanged="true">
      <label>Roles</label>
      <fieldForLabel>role</fieldForLabel>
      <fieldForValue>role</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
 | table roles
 | mvexpand roles
 | dedup roles
 | table roles
 | sort roles
 | rename roles as role</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>role="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <choice value="*">All</choice>
      <default>admin,power,sc_admin,user</default>
    </input>
    <input type="dropdown" token="capability_group" searchWhenChanged="true">
      <label>Capability Group</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>capability_group="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>capability_group</fieldForLabel>
      <fieldForValue>capability_group</fieldForValue>
      <search>
        <query>| rest /services/authorization/roles splunk_server=local 
| table capabilities 
| mvexpand capabilities 
| dedup capabilities 
| sort capabilities 
| rex field=capabilities "^(?<capability_group>[^_]+)" 
| table capability_group 
| dedup capability_group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="capabilities" searchWhenChanged="true">
      <label>Capabilities</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>capabilities="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>capabilities</fieldForLabel>
      <fieldForValue>capabilities</fieldForValue>
      <search>
        <query>| rest /services/authorization/roles splunk_server=local 
| table capabilities 
| mvexpand capabilities 
| dedup capabilities 
| sort capabilities</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Capabilities by Role</title>
      <table>
        <search>
          <query>| rest /services/authorization/roles splunk_server=local 
| table capabilities 
| dedup capabilities 
| sort capabilities 
| eval role="Capabilities List" 
| table capabilities 
| stats count by role capabilities 
| appendcols 
    [| rest /services/authorization/roles 
    | table title capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities 
    | stats count by role capabilities] 
| eval _time=now() 
| search $role$ 
| stats count(eval(capabilities="accelerate_datamodel")) as accelerate_datamodel count(eval(capabilities="accelerate_search")) as accelerate_search count(eval(capabilities="admin_all_objects")) as admin_all_objects count(eval(capabilities="change_authentication")) as change_authentication count(eval(capabilities="change_own_password")) as change_own_password count(eval(capabilities="delete_by_keyword")) as delete_by_keyword count(eval(capabilities="dispatch_rest_to_indexers")) as dispatch_rest_to_indexers count(eval(capabilities="dmc_deploy_apps")) as dmc_deploy_apps count(eval(capabilities="dmc_deploy_token_http")) as dmc_deploy_token_http count(eval(capabilities="edit_cmd")) as edit_cmd count(eval(capabilities="edit_deployment_client")) as edit_deployment_client count(eval(capabilities="edit_deployment_server")) as edit_deployment_server count(eval(capabilities="edit_dist_peer")) as edit_dist_peer count(eval(capabilities="edit_encryption_key_provider")) as edit_encryption_key_provider count(eval(capabilities="edit_forwarders")) as edit_forwarders count(eval(capabilities="edit_httpauths")) as edit_httpauths count(eval(capabilities="edit_indexer_cluster")) as edit_indexer_cluster count(eval(capabilities="edit_indexerdiscovery")) as edit_indexerdiscovery count(eval(capabilities="edit_input_defaults")) as edit_input_defaults count(eval(capabilities="edit_local_apps")) as edit_local_apps count(eval(capabilities="edit_monitor")) as edit_monitor count(eval(capabilities="edit_restmap")) as edit_restmap count(eval(capabilities="edit_roles")) as edit_roles count(eval(capabilities="edit_roles_grantable")) as edit_roles_grantable count(eval(capabilities="edit_scripted")) as edit_scripted count(eval(capabilities="edit_search_head_clustering")) as edit_search_head_clustering count(eval(capabilities="edit_search_schedule_priority")) as edit_search_schedule_priority count(eval(capabilities="edit_search_schedule_window")) as edit_search_schedule_window count(eval(capabilities="edit_search_scheduler")) as edit_search_scheduler count(eval(capabilities="edit_search_server")) as edit_search_server count(eval(capabilities="edit_server")) as edit_server count(eval(capabilities="edit_server_crl")) as edit_server_crl count(eval(capabilities="edit_sourcetypes")) as edit_sourcetypes count(eval(capabilities="edit_splunktcp")) as edit_splunktcp count(eval(capabilities="edit_splunktcp_ssl")) as edit_splunktcp_ssl count(eval(capabilities="edit_splunktcp_token")) as edit_splunktcp_token count(eval(capabilities="edit_statsd_transforms")) as edit_statsd_transforms count(eval(capabilities="edit_tcp")) as edit_tcp count(eval(capabilities="edit_tcp_stream")) as edit_tcp_stream count(eval(capabilities="edit_telemetry_settings")) as edit_telemetry_settings count(eval(capabilities="edit_token_http")) as edit_token_http count(eval(capabilities="edit_udp")) as edit_udp count(eval(capabilities="edit_upload_and_index")) as edit_upload_and_index count(eval(capabilities="edit_user")) as edit_user count(eval(capabilities="edit_view_html")) as edit_view_html count(eval(capabilities="edit_web_settings")) as edit_web_settings count(eval(capabilities="embed_report")) as embed_report count(eval(capabilities="export_results_is_visible")) as export_results_is_visible count(eval(capabilities="get_diag")) as get_diag count(eval(capabilities="get_metadata")) as get_metadata count(eval(capabilities="get_typeahead")) as get_typeahead count(eval(capabilities="indexes_edit")) as indexes_edit count(eval(capabilities="indexes_list_all")) as indexes_list_all count(eval(capabilities="input_file")) as input_file count(eval(capabilities="license_edit")) as license_edit count(eval(capabilities="license_tab")) as license_tab count(eval(capabilities="license_view_warnings")) as license_view_warnings count(eval(capabilities="list_deployment_client")) as list_deployment_client count(eval(capabilities="list_deployment_server")) as list_deployment_server count(eval(capabilities="list_forwarders")) as list_forwarders count(eval(capabilities="list_httpauths")) as list_httpauths count(eval(capabilities="list_indexer_cluster")) as list_indexer_cluster count(eval(capabilities="list_indexerdiscovery")) as list_indexerdiscovery count(eval(capabilities="list_inputs")) as list_inputs count(eval(capabilities="list_introspection")) as list_introspection count(eval(capabilities="list_metrics_catalog")) as list_metrics_catalog count(eval(capabilities="list_search_head_clustering")) as list_search_head_clustering count(eval(capabilities="list_search_scheduler")) as list_search_scheduler count(eval(capabilities="list_settings")) as list_settings count(eval(capabilities="list_storage_passwords")) as list_storage_passwords count(eval(capabilities="output_file")) as output_file count(eval(capabilities="pattern_detect")) as pattern_detect count(eval(capabilities="refresh_application_licenses")) as refresh_application_licenses count(eval(capabilities="request_remote_tok")) as request_remote_tok count(eval(capabilities="rest_apps_management")) as rest_apps_management count(eval(capabilities="rest_apps_view")) as rest_apps_view count(eval(capabilities="rest_properties_get")) as rest_properties_get count(eval(capabilities="rest_properties_set")) as rest_properties_set count(eval(capabilities="restart_reason")) as restart_reason count(eval(capabilities="restart_splunkd")) as restart_splunkd count(eval(capabilities="rtsearch")) as rtsearch count(eval(capabilities="run_debug_commands")) as run_debug_commands count(eval(capabilities="schedule_rtsearch")) as schedule_rtsearch count(eval(capabilities="schedule_search")) as schedule_search count(eval(capabilities="search")) as search count(eval(capabilities="search_process_config_refresh")) as search_process_config_refresh count(eval(capabilities="web_debug")) as web_debug by role 
| transpose 1000 column_name=capabilities header_field=role 
| rex field=capabilities "^(?<capability_group>[^_]+)" 
| search $capabilities$ $capability_group$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
        <format type="color" field="admin">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="apps">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="capability_group">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="power">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="sc_admin">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="user">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="number" field="internal_automation_role">
          <option name="precision">0</option>
        </format>
        <format type="color" field="internal_automation_role">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>

jkat54
SplunkTrust
SplunkTrust

This is an awesome app for that:

https://splunkbase.splunk.com/app/1866/

0 Karma

srikanth1213
Path Finder

@ jkat54 : It would not let me download the app.. can you please check...

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hello,

here is a solution for the roles and users from always awesome user "somesoni2"
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html

and with the roles and capabilities thing you are not far off searching with this command:

 | rest /services/authorization/roles

used those myself in the past to get reports about that

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...