I need to list down the active users in SPLUNK along with reports, dashboards and use cases created by them.
I tried below query, but it just gives list of users and roles
|rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name
As you've discovered, it takes more than one command to get all of the information you seek. The current query gets a list of users. Next, get lists of reports, dashboards, alerts, and other knowledge objects and correlate them with the list of users.
To get a list of reports and alerts:
| rest /servicesNS/-/-/saved/searches
To get a list of dashboards:
| rest /servicesNS/-/-/data/ui/views
To correlate all of the results:
| rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name
| append [ | rest /servicesNS/-/-/data/ui/views | fields eai:acl.owner label eai:acl.app eai:userName | rename eai:userName as userName, eai:acl.app as app }
| append [ | rest /servicesNS/-/-/saved/searches | fields eai:acl.owner title eai:acl.app | rename eai:acl.owner as userName, eai:acl.app as app ]
| stats values(*) as * by userName