Table: splunk_token - Query Splunk Tokens using SQL

Splunk is a software platform that provides real-time data processing capabilities and data visualization. It allows users to search, analyze, and visualize the raw data generated by their organization's IT infrastructure. A Splunk Token is a unique identifier used for authentication and authorization within the Splunk platform.

Table Usage Guide

The splunk_token table provides insights into Tokens within Splunk. As a security analyst, explore token-specific details through this table, including token identifiers, creation time, and associated metadata. Utilize it to uncover information about tokens, such as their usage, potential security risks, and the verification of token permissions.

Examples

Basic info

Explore the status and issuer of various tokens, along with their expiration times, to better manage and monitor your token usage. This helps to maintain system security and ensures tokens are renewed or removed before they expire.

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token;

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token;

List disabled tokens

Explore which tokens have been disabled in your system to ensure that no unauthorized access can occur. This can help in maintaining security and preventing potential data breaches.

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token
where
  status = 'disabled';

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token
where
  status = 'disabled';

List unused tokens

Identify instances where certain tokens have never been used. This can help in managing and deactivating unnecessary tokens, thereby enhancing system security.

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token
where
  last_used is null;

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token
where
  last_used is null;

List expired tokens

Determine the areas in which security tokens have already expired. This query is useful for identifying potential vulnerabilities and ensuring prompt renewal or removal of these expired tokens.

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token
where
  now() :: timestamp > expiration_time;

select
  name,
  status,
  issuer,
  expiration_time
from
  splunk_token
where
  datetime('now') > expiration_time;

Schema for splunk_token

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form, e.g. connection_name.
acl	jsonb	Access Control List for the token.
audience	text	Audience description given to the token on creation.
author	text	Author of this object in the system.
expiration_time	timestamp with time zone	Time when the token expires.
headers	jsonb	Token headers including algorithm and version.
id	text	ID of the token.
identity_provider	text	Identity provider for the token, e.g. Splunk.
issued_at	timestamp with time zone	Time when the token was issued.
issuer	text	Issuer of the token.
last_used	timestamp with time zone	Time when the token was last used.
last_used_ip	inet	IP address the token was last used from.
links	jsonb	Links for the token resource.
name	text	Name of the token.
not_before	timestamp with time zone	Time when the token becomes valid for use.
roles	jsonb	Roles assigned to the token.
status	text	Status of the token: enabled, disabled.
subject	text	Subject is the user that the token represents.
updated	timestamp with time zone	Time when the token was last updated.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- splunk

You can pass the configuration to the command with the --config argument:

steampipe_export_splunk --config '<your_config>' splunk_token