- Create a saved search and save as an alert
- A username should be in one of the fields in the returned events
- Add "Remove SAML User" as an action for the alert
- Configure in the alert action which field the username is in
- More than one event can be returned, and the alert action will handle it
- Logs are written to $SPLUNK_HOME/var/log/splunk/remove_saml_user_modalert.log
Some basic validation will be done before the alert takes any action. Primarily it will make sure the user field exists and looks like a valid SAML user before doing any removal action.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.