Search Users

Search for users in Splunk Enterprise Security.

Options

Field

Definition

Type

Required

Result Set

Choose a method to filter search results:

First Matching Record: Returns the first record that matches.
First 100 Matching Records: Returns the first 100 matching records.
Stream Matching Records: Passes all matching records from your parent flow to a helper flow.

Selecting this option adds a Streaming input section to the card where you can select a helper flow for streaming and add custom extensible fields.

Dropdown

TRUE

Filter

Choose a filter to search results:

Equal: Returns the user details that exactly match the value provided in the input field.
Contains: Returns the user details that contain the value provided in the input field.

Dropdown

FALSE

Input

Field	Definition	Type	Required
Search By
Username	Username of the user.	Text	FALSE
Email Address	The email address of the user.	Text	FALSE
Full Name	Name of the user.	Text	FALSE
Roles	Roles assigned to the user.	List of Text	FALSE
Time zone	Time zone of the user.	Dropdown	FALSE
Custom Search	Search by any value. This input is only available when the filter option is set to contains and returns values that match any fields in the user data.	Text	FALSE
Sort By
Order	Sort the results by order Ascending Descending	Dropdown	FALSE
Field	Sort the results by field Username Email Time Zone Full Name	Dropdown	FALSE
Streaming
Flow	Click Choose Flow to browse and select a helper flow where the search results will be streamed, then click Choose to confirm. Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow. This field appears when you select Stream Matching Records from the Result Set option.	Flow	TRUE
Record Limit	Specify the number of records to stream. When the Record Limit field is set to greater than 0, the stream returns up to the maximum number specified. When the Record Limit field is empty, null, or not selected, the stream returns all records. The default value is 500000. The valid range is from 1 to 500000. This field appears when you select Stream Matching Records from the Result Set option.	Number	FALSE

Output

Field	Definition	Type
Result
Users	The users object.	List of Objects
Raw Output	Raw payload returned from the Splunk Enterprise Security API.	Object
Username	Username of the user.	Text
ID	Unique identifier of the user.	Text
Author	The user who executed the search for the user. By default, the author is System.	Text
Capabilities	List of capabilities assigned to the role.	List of Text
Default App	User default app to be assigned for the user to be created. This setting overrides the default app inherited from the user roles.	Text
Default App Is User Override	Indicates whether the default app overrides the user-role default app.	True/False
Email Address	The email address of the user.	Text
Is Locked Out	Indicates whether the user is locked out.	True/False
Full Name	Name of the user.	Text
Is Restart Background Jobs	If true, incomplete background search jobs that haven't completed are restarted when Splunk restarts.	True/False
Roles	Roles assigned to this user.	List of Text
Types	Displays one of the following user authentication system types. LDAP Scripted Splunk System (reserved for system user)	Text
Time zone	Time zone of the user.	Text
Records Streamed	Number of records streamed in a streaming flow. This field appears when you select Stream Matching Records from the Result Set option.	Number

Related topics

Splunk Enterprise Security connector

Cards in flows

Splunk Enterprise Security API

© 2025 Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners.

Feedback