Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Is It Possible to Assign a Token Value to a User o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have a dashboard that monitors cost and fees for over 30 in-house applications. We need to have each application owner be only able to view their application and no other application owner's app.
index=$tok_index$
AND FAILCODE=N
AND (APPLICATIONNAME=$tok_payApp$ ....
$tok_pay$ is a selectable token from a dropdown input.
What we are looking for...
When user A. Smith clicks the dropdown they should only be able to see costingApp.
When user B. Jones clicks the dropdown they should only be able to see accountsApp.
etc....
I've checked the roles and capabilities doc page, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Rolesandcapabilities, but could not find anything.
I also checked here, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Addandeditroles#Specify_search_restricti.... Would this work with dashboards?
Is it feasible to create a conf file with a list of users and corresponding $tok_pay$ values, and assigning it for a particular dashboard? Maybe built into the dashboard's XML code; or via a JS or CSS file; or another mechanism?
We don't want the administrative burden of building and managing 30+ dashboards in order to fulfill this requirement to our application owners; and we don't want to create separate indexes, etc., to handle this either.
Any fezzes or other experts come across this requirement before?
Thanks in advance.
God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out. However, there are some caveats I never knew about.
First, create a lookup table payUserToApp.csv with the users' names and their apps.
payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep
Second, create a macro current_user to find the user who is running (logged in).
| rest /services/authentication/current-context
| table username
| search username!=splunk-system-user
| return $username
Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.
index=_audit
AND earliest=-1min
AND latest=now()
`current_user`
| eval payUser = user
| lookup payUserToApp.csv payUser OUTPUTNEW payApp
| dedup payApp
| table payApp
| mvexpand payApp
Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense
Is it the macro, the lookup table, or combination of the two that causes this behavior?
When I run a similar search, there is no need to run the | mvexpand payAppcommand.
index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host
Thanks and God bless,
Genesius
PS Unless someone has a better solution, I will make this as Accepted at the end of the week.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out. However, there are some caveats I never knew about.
First, create a lookup table payUserToApp.csv with the users' names and their apps.
payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep
Second, create a macro current_user to find the user who is running (logged in).
| rest /services/authentication/current-context
| table username
| search username!=splunk-system-user
| return $username
Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.
index=_audit
AND earliest=-1min
AND latest=now()
`current_user`
| eval payUser = user
| lookup payUserToApp.csv payUser OUTPUTNEW payApp
| dedup payApp
| table payApp
| mvexpand payApp
Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense
Is it the macro, the lookup table, or combination of the two that causes this behavior?
When I run a similar search, there is no need to run the | mvexpand payAppcommand.
index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host
Thanks and God bless,
Genesius
PS Unless someone has a better solution, I will make this as Accepted at the end of the week.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
