Hi Guys
I am trying to load searches based upon the logged user - In this way one dashboard can suffice the need for user based data access. I know that we can access the global tokens $env:user$ or $env:user_realname$ etc in the panel titles or html panels - for instance:
<panel>
<html>
<p>Currently Logged In User: $env:user$</p>
<p>Full name of logged in user: $env:user_realname$</p>
</html>
</panel>
but when I try something like this:
| stats count | eval user1 = $env:user$ | eval user = case($env:user$ == "admin","hello admin",1==1,"hello user")
It doesn't seem to work in simple xml. Any solution for that? I am on Splunk Cloud so don't have much room to play with .js files with simple xml.
Well this is not achievable as tokens are only visible in Simple XML not in SPL. However, a workaround would be to get the user form an API call:
| rest /services/authentication/current-context splunk_server=local | fields username
Once you have the user name you can apply the search commands on or using the username
Well this is not achievable as tokens are only visible in Simple XML not in SPL. However, a workaround would be to get the user form an API call:
| rest /services/authentication/current-context splunk_server=local | fields username
Once you have the user name you can apply the search commands on or using the username
Hi,
When you are searching for user1 you need to wrap value in quotes by writing $token_name|s$
It will ensures that quotation marks surround the value referenced by the token.
| stats count | eval user1 = $env:user|s$ | eval user = case(user1 == "admin","hello admin",1==1,"hello user")
hey try this run anywhere XML and you can take it as a reference to build yours.
<dashboard>
<label>Default Environment Tokens</label>
<description>Global default environment tokens available on initial load, and can be used throughout the page.</description>
<row>
<panel>
<html>
<h1>Hello, $env:user_realname$!</h1>
</html>
<table>
<title>Login Attempts in the Last 24 Hours (for user="$env:user$")</title>
<search>
<query>index=_audit action="login attempt" user=$env:user|s$ | table _time user action info</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</table>
<html depends="$env:is_enterprise$">
<i class="icon icon-info"/>
<span>This is only visible in Splunk Enterprise and hidden in Splunk Lite, Splunk Free, etc.</span>
</html>
</panel>
</row>
</dashboard>
Also your query looks dicy, you can try this
| stats count | eval user1=$env:user|s$ | eval user = case(user1="admin","hello admin",1==1,"hello user")
In your query, you are assigning token-value
to user1
then you are using token-value
in eval-case
instead you should use user1
field.
let me know if this helps!
Thanks mayurr98
I've tried the code and query you provide, but as I stated in my question - the env tokens work fine with panel labels or in html panels however it doesn't work in SPL queries. Hence this part doesn't work form me:
<search>
<query>index=_audit action="login attempt" user=$env:user|s$ | table _time user action info</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
I'm using Splunk 6.6 in Cloud.
try wrapping your token in single quotes in your case statement, case('$env:user$' == "admin"
Nope. Already tried it...