topic Re: Ingesting User Names in Splunk Enterprise

Ingesting User Names

biers04 — Tue, 29 Sep 2020 17:06:33 GMT

I am currently creating a dashboard for users.

index=mcafee AND Customer=Yes AND signature!="[New*" AND ("Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv")
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "file_name", Executable,Fingerprint
| eventstats sum(count) AS total_host
| where count<11
| rename file_name AS "File Name", earliest(TIME) AS "First Seen", count AS Count
| table "File Name", "Executable_,Fingerprint", Count, "Set As Clean"
| eval "Set As Clean"="Clean"
| sort - Count

When a user Clicks "Clean" it auto runs a query that pushes the file hash and filename to a CSV so we no longer see the file name associated with that file hash.

My problem comes in as I need non-repudiation. I am looking to push the current users name into the CSV, but I cannot figure out how to do so push the current user to a table. If I can get it to a table, I'll know how to push their name into the CSV. Current command I am attempting to use is "$env:user_realname$" as it grabs the users name instead of login name. I'm not sure if making it a token or there is something I am missing here.

Re: Ingesting User Names

biers04 — Thu, 07 Dec 2017 17:40:44 GMT

FYI to display usernames themselves it is

$env:user_realname$

(don't need the h1 tag). I just need a possible way to grab the h1 and push that to the csv as well.

Re: Ingesting User Names

biers04 — Thu, 07 Dec 2017 17:41:54 GMT

row panel html h1 id="User">$env:user_realname$

Did not realize it would not display toe row panel html h1 tag - reinserted here without the <>

Re: Ingesting User Names

niketn — Thu, 07 Dec 2017 18:06:54 GMT

@biers04, int the drilldown outputlookup command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file

<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>

PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.

Following is the run anywhere Simple XML dashboard with username column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$

<dashboard>
  <label>Add User Name to Outputlookup</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Re: Ingesting User Names

biers04 — Thu, 07 Dec 2017 18:46:14 GMT

Brilliant! Thank you, was missing
eval username="$env:user_realname$" within the search macro.

Re: Ingesting User Names

biers04 — Tue, 29 Sep 2020 17:06:44 GMT

Actually, it appears that within the CSV, it returns just the literal string "$env:user_realname$"

My drilldown query is as follows: