According to the Splunk Enterprise User Authentication and Authorization Guide, effective user management during deployment planning involves identifying how users will authenticate (native, LDAP, or SAML) and defining what roles and capabilities they will need to perform their tasks.
However, counting or analyzing the number of users who appear in Splunk log events (Option C) is not part of user management planning. This metric relates to audit and monitoring, not access provisioning or role assignment.
A proper user management plan should address:
Authentication method selection (native, LDAP, or SAML).
User mapping and provisioning workflows from existing identity stores.
Role-based access control (RBAC) — assigning users appropriate permissions via Splunk roles and capabilities.
Administrative governance — ensuring access policies align with compliance requirements.
Determining the number of users visible in log events provides no operational value when planning Splunk authentication or authorization architecture. Therefore, this task can be safely disregarded during initial planning.
References (Splunk Enterprise Documentation):
• User Authentication and Authorization in Splunk Enterprise
• Configuring LDAP and SAML Authentication
• Managing Users, Roles, and Capabilities
• Splunk Deployment Planning Manual – Security and Access Control Planning
