Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is It Possible to Assign a Token Value to a User or Role?

genesiusj
Builder
‎01-03-2020 06:12 AM

Hello,
We have a dashboard that monitors cost and fees for over 30 in-house applications. We need to have each application owner be only able to view their application and no other application owner's app.

index=$tok_index$
    AND FAILCODE=N
    AND (APPLICATIONNAME=$tok_payApp$ ....

$tok_pay$ is a selectable token from a dropdown input.

What we are looking for...
When user A. Smith clicks the dropdown they should only be able to see costingApp.
When user B. Jones clicks the dropdown they should only be able to see accountsApp.
etc....

I've checked the roles and capabilities doc page, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Rolesandcapabilities, but could not find anything.

I also checked here, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Addandeditroles#Specify_search_restricti.... Would this work with dashboards?

Is it feasible to create a conf file with a list of users and corresponding $tok_pay$ values, and assigning it for a particular dashboard? Maybe built into the dashboard's XML code; or via a JS or CSS file; or another mechanism?

We don't want the administrative burden of building and managing 30+ dashboards in order to fulfill this requirement to our application owners; and we don't want to create separate indexes, etc., to handle this either.

Any fezzes or other experts come across this requirement before?

Thanks in advance.
God bless,
Genesius

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

genesiusj
Builder
‎01-06-2020 01:45 PM

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

View solution in original post

Reply
Solved! Jump to solution
Solution

genesiusj
Builder
‎01-06-2020 01:45 PM

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...