Spread our blog

How to create an alert for any changes to the role of existing Users

Generally, for companies with small or mid-size Splunk deployment, where the number of Splunkers is not very high, the requirement of having alert for user role changes doesn’t seem feasible but for larger deployments, it somehow becomes necessary to keep an eye on the roles of the Users. 

The below query fetches the list of  Users, their roles and real names and stores them in a CSV file –

|rest /services/authentication/users splunk_server=local 
| fields title roles realname | rename title as User_Name,realname as Name, 
roles as Prev_roles | outputlookup <lookup_filename>

an example screenshot is below for your reference,

khkwjhfjwfw

 

Now, create a scheduled report for this query so that the CSV file has some update frequency. (we are scheduling this report to run once every week, at 10:00 am on Monday).

Now use the query shown below to set an alert whenever there is any change in the user roles. (We on purpose have changed the role of the User Abhay ) as depicted by the picture below.

NOTE: Schedule this alert as per the interest of your requirement.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as User_Name,realname as Name 
| lookup <lookup_filename> User_Name | where roles!=Prev_roles

ioufgwpwlgjklwgjw

That’s it!! 

Thanks for going through our post…

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
+1
+1
+1
+1

Spread our blog
You can also know about :  How CRC works in Splunk?
Previous articleAbout Splunk Users and Roles
Next articleHow To Hide Error Message Icon From Splunk Dashboard Panels
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

LEAVE A REPLY

Please enter your comment!
Please enter your name here