Table: splunk_user - Query Splunk Users using SQL
Splunk is a software platform widely used for monitoring, searching, analyzing and visualizing the machine-generated data. In Splunk, a user is an entity with a set of capabilities that determine the actions that the user can take and the resources the user can access. Users are assigned roles that define the actions they can take and the resources they can access.
Table Usage Guide
The splunk_user table provides insights into user management within Splunk. As a system administrator or security analyst, explore user-specific details through this table, including their assigned roles, real names, and emails. Utilize it to manage user access, understand role assignment, and ensure the right privileges are assigned to the right users.
Examples
Basic info
Determine the areas in which user data, such as name, email, and timezone, can be analyzed from the user base. This can be useful for gaining insights into user behavior and preferences, enabling more targeted and effective communication strategies.
select name, real_name, email, authentication_type, tz as user_timezonefrom splunk_user;select name, real_name, email, authentication_type, tz as user_timezonefrom splunk_user;List users using role-based user authentication
Determine the areas in which role-based user authentication is being used by examining the user list. This can assist in understanding the security measures in place and identifying any potential vulnerabilities or inconsistencies.
select name, email, authentication_type, rolesfrom splunk_user;select name, email, authentication_type, rolesfrom splunk_user;List users with admin privileges
Determine the areas in which certain users have been granted administrative privileges. This can be essential for managing access control and ensuring system security.
select name, email, authentication_type, rolesfrom splunk_userwhere roles ?| array [ 'admin' ];Error: SQLite does not support array operations.List locked-out users
Identify instances where users are locked out of their accounts, a crucial step for maintaining security and ensuring user accessibility. This can be particularly useful for administrators to quickly address and resolve such issues.
select name, email, authentication_type, locked_outfrom splunk_userwhere locked_out;select name, email, authentication_type, locked_outfrom splunk_userwhere locked_out = 1;Schema for splunk_user
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| acl | jsonb | Access Control List for the user. | |
| authentication_type | text | Authentication type: LDAP, Scripted, Splunk, System (reserved for system user). | |
| capabilities | jsonb | List of capabilities assigned to the user. | |
| default_app | text | Default app for the user, which is invoked at login. | |
| default_app_is_user_override | boolean | True if the default app overrides the user role default app. | |
| default_app_source_role | text | The role that determines the default app for the user, if the user has multiple roles. | |
| text | User email address. | ||
| id | text | ID of the user. | |
| locked_out | boolean | True if the user has been locked out. | |
| name | text | = | Name of the user. |
| real_name | text | User full name. | |
| restart_background_jobs | boolean | True if incomplete background search jobs should be restarted when Splunk restarts. | |
| roles | jsonb | Roles assigned to the user. | |
| search_assistant | text | Full search assistant is useful when first learning to create searches. Compact provides more succinct assistance. | |
| search_auto_format | boolean | If true, automatically format search syntax to improve readability. | |
| search_line_numbers | boolean | If true, shows numbers next to each line in the search syntax. | |
| search_syntax_highlighting | text | Theme for search query syntax highlighting. | |
| search_use_advanced_editor | boolean | The advanced editor can provide auto-formatting, line numbers, and highlight search syntax for increased readability. You can also turn off the advanced editor to use the basic search format. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tz | text | User timezone. | |
| updated | timestamp with time zone | Time when the user was last updated. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- splunkYou can pass the configuration to the command with the --config argument:
steampipe_export_splunk --config '<your_config>' splunk_user