topic Re: resolving username from uid in a splunk query in Splunk Search

resolving username from uid in a splunk query

mullica1 — Wed, 24 Mar 2021 12:54:56 GMT

Greetings-

I'm putting together a dashboard query that shows uid's and systems as a result. I would like to resolve that uid to a username, so the the dashboard output will be username and system. I have written a python script that when passed uid will return the username. What I'm stumbling with is calling it correctly and using the output. I've tried calling it as a script and a lookup, verified it is running but can't get it to do what I want. Can someone give me a shove in the right direction please?

Re: resolving username from uid in a splunk query

scelikok — Wed, 24 Mar 2021 14:28:43 GMT

Hi @mullica1,

The best way to do is create a lookup file that contains all uid, system and usernames. You can update this lookup using your script with crontab. And use that lookup at the end of your dashboard search like below sample;

Lookup file sample;

uid_lookup.csv uid,system,username 1001,host1,user1

| lookup uid_lookup.csv uid system OUTPUT username | table username system

Re: resolving username from uid in a splunk query

richgalloway — Wed, 24 Mar 2021 17:19:35 GMT

An external lookup should do the job. Have you looked at https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Configureexternallookups ?

Please explain what you want it to do and what it is actually doing.

Re: resolving username from uid in a splunk query

mullica1 — Wed, 24 Mar 2021 15:27:48 GMT

Thanks I'll check the link, I've read till my eyes have bled.

Here's what I'm doing. A dashboard query similar to

sourcetype=linux_audit............. | stats by uid,host

which gives me a table of uid and hosts. Unfortunately the audit records in question don't have the user account name, just the uid. What I want to do is turn that table into user, host by passing the uid's to a python script like

import sys

import pwd

arg=int(sys.argv[1])

results=pwd.getpwuid(arg).pw_name

print(results)

My python scripts works as expected and I can call it from the command line with the expected results. I made an entry in transforms.conf.

what's tripping me up is how to invoke it correctly.

Re: resolving username from uid in a splunk query

mullica1 — Wed, 24 Mar 2021 17:06:09 GMT

Only issue with that from what I see is if there is no value in the table for uid lookup, then nothing is returned. Which means that possibly an unresolved audit record will not be shown in the table. I was going to enhance my python script to return the uid if the lookup was unsuccessful, so at least the unresolved uid would be shown in the query.

Re: resolving username from uid in a splunk query

mullica1 — Wed, 24 Mar 2021 17:21:26 GMT

Just proved myself wrong, I can user coalesce.

eval account=coalesce(account,uid)

if not found it will just list the uid. Thanks.

Re: resolving username from uid in a splunk query

richgalloway — Wed, 24 Mar 2021 17:21:55 GMT

One cannot invoke an ordinary Python script from SPL. There is a protocol that Splunk uses to communicate with the script. Learn more at dev.splunk.com.