I have this search provided by @somesoni2. I making a simple change to it so it provides a list of indexes that a user has access to. In order to do this you must search via REST the user, role, and indexes data.
| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role] | dedup index_name | table index_name
In the last REST subsearch | rest /services/authentication/users all i'm trying to do is add *| rest /services/authentication/users | search title="a name goes here" **. By putting a name in I just want to get back a single user. I'm building a dashboard that will allow a user to query what index a user can access based on their roles. If I pull out this subsearch and run separately it works just fine.
Thx
Please try like..
| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
| join type=left Role [| rest /services/authorization/roles splunk_server="local"
| table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
| rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
| rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
| rename title as Role]
I've put a filter of search User="admin" in the 1st line, may be you can try your own
awesome koshyk! thank you.
Please try like..
| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role| search User="admin"
| join type=left Role [| rest /services/authorization/roles splunk_server="local"
| table title, srchIndexesAllowed| eval srchIndexesAllowed=mvjoin(srchIndexesAllowed,"; ")
| rex field=srchIndexesAllowed mode=sed "s/_\*/ALL_INTERNAL/g"
| rex field=srchIndexesAllowed mode=sed "s/\*/ALL_NON-INTERNAL/g"
| rename title as Role]
I've put a filter of search User="admin" in the 1st line, may be you can try your own