Solved: Use global tokens in SPL

nabeel652 · ‎01-18-2018

Hi Guys

I am trying to load searches based upon the logged user - In this way one dashboard can suffice the need for user based data access. I know that we can access the global tokens $env:user$ or $env:user_realname$ etc in the panel titles or html panels - for instance:

<panel>
  <html>
    <p>Currently Logged In User: $env:user$</p>
    <p>Full name of logged in user: $env:user_realname$</p>
  </html>
</panel>

but when I try something like this:

| stats count | eval user1 = $env:user$ | eval user = case($env:user$ == "admin","hello admin",1==1,"hello user")

It doesn't seem to work in simple xml. Any solution for that? I am on Splunk Cloud so don't have much room to play with .js files with simple xml.

nabeel652 · ‎02-04-2018

Well this is not achievable as tokens are only visible in Simple XML not in SPL. However, a workaround would be to get the user form an API call:

| rest /services/authentication/current-context splunk_server=local | fields username

Once you have the user name you can apply the search commands on or using the username

View solution in original post

nabeel652 · ‎02-04-2018

Well this is not achievable as tokens are only visible in Simple XML not in SPL. However, a workaround would be to get the user form an API call:

| rest /services/authentication/current-context splunk_server=local | fields username

Once you have the user name you can apply the search commands on or using the username

493669 · ‎01-19-2018

Hi,
When you are searching for user1 you need to wrap value in quotes by writing $token_name|s$ It will ensures that quotation marks surround the value referenced by the token.

| stats count | eval user1 = $env:user|s$ | eval user = case(user1  == "admin","hello admin",1==1,"hello user")

mayurr98 · ‎01-19-2018

hey try this run anywhere XML and you can take it as a reference to build yours.

<dashboard>
    <label>Default Environment Tokens</label>
    <description>Global default environment tokens available on initial load, and can be used throughout the page.</description>
    <row>
        <panel>
            <html>
                <h1>Hello, $env:user_realname$!</h1>
            </html>
            <table>
                <title>Login Attempts in the Last 24 Hours (for user="$env:user$")</title>
                <search>
                    <query>index=_audit action="login attempt" user=$env:user|s$ | table _time user action info</query>
                    <earliest>-24h</earliest>
                    <latest>now</latest>
                </search>
            </table>
            <html depends="$env:is_enterprise$">
                <i class="icon icon-info"/>
                <span>This is only visible in Splunk Enterprise and hidden in Splunk Lite, Splunk Free, etc.</span>
            </html>
        </panel>
    </row>
</dashboard>

Also your query looks dicy, you can try this

| stats count | eval user1=$env:user|s$ | eval user = case(user1="admin","hello admin",1==1,"hello user")

In your query, you are assigning token-value to user1 then you are using token-value in eval-case instead you should use user1 field.

let me know if this helps!

nabeel652 · ‎01-21-2018

Thanks mayurr98

I've tried the code and query you provide, but as I stated in my question - the env tokens work fine with panel labels or in html panels however it doesn't work in SPL queries. Hence this part doesn't work form me:

<search>
           <query>index=_audit action="login attempt" user=$env:user|s$ | table _time user action info</query>
           <earliest>-24h</earliest>
           <latest>now</latest>
 </search>

I'm using Splunk 6.6 in Cloud.

davpx · ‎01-18-2018

try wrapping your token in single quotes in your case statement, case('$env:user$' == "admin"

nabeel652 · ‎01-18-2018

Nope. Already tried it...

Use global tokens in SPL

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor