topic Re: current user in search? in Security

current user in search?

jgauthier — Fri, 05 Aug 2011 20:10:32 GMT

Is is possible to pull the current user name for use in a search?
For instance, a search that would do something like 'sourcetype="blah" user=$user | stats galore'

My long term goal is to populate list =ers based on user, and their employees. That data would come from AD. I have authentication with LDAP already, so this should match up pretty easily.

Thanks!

Re: current user in search?

acdevlin — Fri, 05 Aug 2011 23:21:57 GMT

Just to clarify, by "current user name" do you mean the user currently logged in to Splunk?

Re: current user in search?

fk319 — Mon, 28 Sep 2020 09:47:13 GMT

I know that when I display my page, I see my user name. I looked and python has several known variables.
$SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html

so, it seems possiable to do your search with the username, at least in python.

Re: current user in search?

jgauthier — Mon, 08 Aug 2011 19:05:37 GMT

Yes. The user logged into the web interface, potentially running reports.

Re: current user in search?

jgauthier — Mon, 08 Aug 2011 19:07:54 GMT

How would I expose python code to the search bar?

Re: current user in search?

Paolo_Prigione — Wed, 14 Mar 2012 10:22:19 GMT

You can, without any custom command:

rest /services/authentication/current-context/context | fields + username

e.g.

| head 10 | join [rest /services/authentication/current-context/context | fields + username]

will add a new column, username, to every result

index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ]

will look for all the splunk logs for the current user

Re: current user in search?

jgauthier — Wed, 14 Mar 2012 13:06:20 GMT

That's a really interesting approach. but 'rest' is not a command for me. Is there a minimum version number, or configuration?

"Search operation 'rest' is unknown. You might not have permission to run this operation."

Re: current user in search?

Paolo_Prigione — Wed, 14 Mar 2012 14:39:44 GMT

"rest" is a proper command, but it is available since v4.3 only (just checked in the docs). I'll paste the custom python command I was using with 4.2.x in another answer.

Re: current user in search?

Paolo_Prigione — Wed, 14 Mar 2012 14:48:32 GMT

Here's a custom python command to get the current user's username: http://pastebin.com/dij6QWBR . Store it in a getUsername.py script in, e.g.:

etc/apps/search/bin/

and append this to your commands.conf:

[getusername]
filename = getUsername.py
passauth = true
run_in_preview = true
streaming = true
retainsevents = true

The syntax is as such:

... | getusername [field=\w+]

if field is not specified, a new "splunk_username" field will be created. The value of "field" will be used otherwise.

Re: current user in search?

jgauthier — Wed, 14 Mar 2012 18:50:52 GMT

Wow. That totally worked. Thanks!

Re: current user in search?

htkwan — Fri, 29 Apr 2016 11:32:40 GMT

Hello Paolo,
Would you please provide the getUserName.py again? It's deleted from the pastebin.net. Thanks.

Re: current user in search?

pablord — Mon, 06 Feb 2017 18:51:51 GMT

Hello Paolo,
Could you upload again getUsername.py?. It's deleted from the pastebin.net
thanks!

Re: current user in search?

AzJimbo — Mon, 06 Feb 2017 21:18:12 GMT

I think this is new in 6.5, but I've been able to set variables with an env call in xml

<row>
<panel>
 <html>
<h1>Welcome  $env:user_realname$ </h1>
You are logged in as $env:user$
</html>
</panel>
</row>