Table: splunk_token - Query Splunk Tokens using SQL
Splunk is a software platform that provides real-time data processing capabilities and data visualization. It allows users to search, analyze, and visualize the raw data generated by their organization's IT infrastructure. A Splunk Token is a unique identifier used for authentication and authorization within the Splunk platform.
Table Usage Guide
The splunk_token table provides insights into Tokens within Splunk. As a security analyst, explore token-specific details through this table, including token identifiers, creation time, and associated metadata. Utilize it to uncover information about tokens, such as their usage, potential security risks, and the verification of token permissions.
Examples
Basic info
Explore the status and issuer of various tokens, along with their expiration times, to better manage and monitor your token usage. This helps to maintain system security and ensures tokens are renewed or removed before they expire.
select name, status, issuer, expiration_timefrom splunk_token;select name, status, issuer, expiration_timefrom splunk_token;List disabled tokens
Explore which tokens have been disabled in your system to ensure that no unauthorized access can occur. This can help in maintaining security and preventing potential data breaches.
select name, status, issuer, expiration_timefrom splunk_tokenwhere status = 'disabled';select name, status, issuer, expiration_timefrom splunk_tokenwhere status = 'disabled';List unused tokens
Identify instances where certain tokens have never been used. This can help in managing and deactivating unnecessary tokens, thereby enhancing system security.
select name, status, issuer, expiration_timefrom splunk_tokenwhere last_used is null;select name, status, issuer, expiration_timefrom splunk_tokenwhere last_used is null;List expired tokens
Determine the areas in which security tokens have already expired. This query is useful for identifying potential vulnerabilities and ensuring prompt renewal or removal of these expired tokens.
select name, status, issuer, expiration_timefrom splunk_tokenwhere now() :: timestamp > expiration_time;select name, status, issuer, expiration_timefrom splunk_tokenwhere datetime('now') > expiration_time;Schema for splunk_token
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| acl | jsonb | Access Control List for the token. | |
| audience | text | Audience description given to the token on creation. | |
| author | text | Author of this object in the system. | |
| expiration_time | timestamp with time zone | Time when the token expires. | |
| headers | jsonb | Token headers including algorithm and version. | |
| id | text | ID of the token. | |
| identity_provider | text | Identity provider for the token, e.g. Splunk. | |
| issued_at | timestamp with time zone | Time when the token was issued. | |
| issuer | text | Issuer of the token. | |
| last_used | timestamp with time zone | Time when the token was last used. | |
| last_used_ip | inet | IP address the token was last used from. | |
| links | jsonb | Links for the token resource. | |
| name | text | Name of the token. | |
| not_before | timestamp with time zone | Time when the token becomes valid for use. | |
| roles | jsonb | Roles assigned to the token. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| status | text | Status of the token: enabled, disabled. | |
| subject | text | Subject is the user that the token represents. | |
| updated | timestamp with time zone | Time when the token was last updated. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- splunkYou can pass the configuration to the command with the --config argument:
steampipe_export_splunk --config '<your_config>' splunk_token