All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a list of index that an user can access

ktn01
Path Finder
‎07-18-2017 02:43 AM

Hello,

I have users with mutiple roles and some roles have Inheritance from other roles.

Is it an easy way to found all indexes readable by an user ?

Thanks

Christian

Tags (1)
0 Karma
Reply

SONY_anilyelmar
Explorer
‎04-19-2022 02:30 AM 
| rest /services/authentication/current-context splunk_server=local 
| rename username AS username roles AS role 
| mvexpand role 
| fields realname username role email 
| join type=outer role 
    [ rest /services/authorization/roles splunk_server=local 
    | rename title AS role 
    | eval role_indexes=mvjoin(srchIndexesAllowed,";") 
    | eval imported_indexes=mvjoin(imported_srchIndexesAllowed,";") 
    | eval allowed_indexes=mvappend(imported_indexes, role_indexes) 
    | fields role allowed_indexes role_indexes imported_indexes 
    | rex mode=sed field=allowed_indexes "s/;/\n/g"
        ] 
| join type=outer role 
    [ rest /services/admin/LDAP-groups splunk_server=local 
    | mvexpand roles 
    | fields roles, strategy,title 
    | rename roles as role 
    | rename title as ADGroup] 
| table realname username email role allowed_indexes,ADGroup,strategy
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-18-2017 04:58 AM

Check out Homepage App for Splunk. It provides a search that does this, and also provides the sourcetypes and one click drilldown into search to make exploring easier for users. Depending on your use case this may provide helpful searches to build on

https://splunkbase.splunk.com/app/3637/

- MattyMo
0 Karma
Reply

jplumsdaine22
Influencer
‎07-18-2017 03:09 AM

If you're using ldap and have a large organisation you may not have all users available in in the users endpoint. Additionally If you have complicated your environment you might have nested splunk roles.

The following search will take account of nested groups, and show the mapped ldap groups for your roles. This assumes you're running this on your DMC host - change the values of splunk_server_group as required (for example, if you're running the search on a single instance set up you would use splunk_server=local instead)

| rest splunk_server_group=dmc_group_search_head /services/authorization/roles 
| fields title srchIndexesAllowed splunk_server 
| mvexpand srchIndexesAllowed 
| stats values(title) as roles by splunk_server srchIndexesAllowed 
| mvexpand roles 
| $indexes$
| rename srchIndexesAllowed as index 
| join type=left max=0 roles splunk_server 
    [| rest splunk_server_group=dmc_group_search_head /services/admin/LDAP-groups 
    | fields title roles splunk_server 
    | where match(roles,".+") 
| join type=left max=0 roles splunk_server 
    [| rest splunk_server_group=dmc_group_search_head /services/authorization/roles 
    | fields title imported_roles splunk_server 
    | mvexpand imported_roles 
    | rename title as roles] 
| join type=left max=0 splunk_server imported_roles 
    [| rest splunk_server_group=dmc_group_search_head /services/authorization/roles 
    | fields title imported_roles splunk_server 
    | mvexpand imported_roles 
    | rename imported_roles as inherits 
    | rename title as imported_roles] 
| stats values(roles) as roles1 values(imported_roles) as inherit1 values(inherits) as inherit2 by splunk_server title 
| eval roles=mvappend(roles1,inherit1,inherit2) 
| fields splunk_server title roles 
| rename title as group 
| mvexpand roles 
| stats values(group) as groups by splunk_server roles]
| stats values(groups) as ad_groups values(roles) as splunk_roles by splunk_server index 
| makemv delim=" " ad_groups 
| eval ad_groups=mvdedup(ad_groups)

Note the token value $indexes$ on line 6 - that's where you should filter for which index you want to see. We have a multivalue picker that fills out a token like so where match(srchIndexesAllowed,"^\*|^value1$|^value2$|...") but you can put any filter you like there

This search will also show any roles that have all-non-internal granted for srchIndexesAllowed.

0 Karma
Reply

jplumsdaine22
Influencer
‎07-18-2017 05:14 AM

er this doesn't quite do what the OP asked, in that its from an index perspective rather than a user one

0 Karma
Reply

rjthibod
Champion
‎07-18-2017 02:48 AM

See martin's great response here: https://answers.splunk.com/answers/260126/how-can-i-search-a-list-of-users-with-all-the-role.html

Here is what he provided.

 | rest /services/authentication/users | table title roles | rename title as user | mvexpand roles
 | join type=left roles [rest /services/authorization/roles | table title srchIndexesAllowed srchIndexesDefault | rename title as roles]
 | makemv srchIndexesAllowed tokenizer=(\S+) | makemv srchIndexesDefault tokenizer=(\S+)
 | fillnull value=" "
 | mvexpand srchIndexesAllowed | mvexpand srchIndexesDefault
 | join type=left max=999 srchIndexesAllowed [rest /services/data/indexes | table title | eval srchIndexesAllowed = if(match(title, "^_"), "_*", "*") | rename title as IndexesAllowed]
 | join type=left max=999 srchIndexesDefault [rest /services/data/indexes | table title | eval srchIndexesDefault = if(match(title, "^_"), "_*", "*") | rename title as IndexesDefault]
 | stats values(*) as * by user
 | foreach srch* [eval <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>) | eval <<FIELD>> = mvfilter(match(<<FIELD>>, "^[^*]+$"))]
 | fields - Indexes*
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...