Splunk Query to list down active users and the knowledge object created by them

Question

I need to list down the active users in SPLUNK along with reports, dashboards and use cases created by them.

I tried below query, but it just gives list of users and roles

|rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name

Answer 1

As you've discovered, it takes more than one command to get all of the information you seek. The current query gets a list of users. Next, get lists of reports, dashboards, alerts, and other knowledge objects and correlate them with the list of users.

To get a list of reports and alerts:

| rest /servicesNS/-/-/saved/searches

To get a list of dashboards:

| rest /servicesNS/-/-/data/ui/views

To correlate all of the results:

| rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name
| append [ | rest /servicesNS/-/-/data/ui/views | fields eai:acl.owner label eai:acl.app eai:userName | rename eai:userName as userName, eai:acl.app as app }
| append [ | rest /servicesNS/-/-/saved/searches | fields eai:acl.owner title eai:acl.app | rename eai:acl.owner as userName, eai:acl.app as app ]
| stats values(*) as * by userName