Splunk Search

REST call in subsearch

brdr
Contributor

I have this search provided by @somesoni2. I making a simple change to it so it provides a list of indexes that a user has access to. In order to do this you must search via REST the user, role, and indexes data.

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role] | dedup index_name | table index_name

In the last REST subsearch | rest /services/authentication/users all i'm trying to do is add *| rest /services/authentication/users | search title="a name goes here" **. By putting a name in I just want to get back a single user. I'm building a dashboard that will allow a user to query what index a user can access based on their roles. If I pull out this subsearch and run separately it works just fine.

Thx

0 Karma
1 Solution

koshyk
Super Champion

Please try like..

| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
 | join type=left Role [| rest /services/authorization/roles splunk_server="local" 
 | table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
 | rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
 | rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
 | rename title as Role]

I've put a filter of search User="admin" in the 1st line, may be you can try your own

View solution in original post

0 Karma

brdr
Contributor

awesome koshyk! thank you.

0 Karma

koshyk
Super Champion

Please try like..

| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
 | join type=left Role [| rest /services/authorization/roles splunk_server="local" 
 | table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
 | rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
 | rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
 | rename title as Role]

I've put a filter of search User="admin" in the 1st line, may be you can try your own

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...