Dashboards & Visualizations

Use global tokens in SPL

nabeel652
Builder

Hi Guys

I am trying to load searches based upon the logged user - In this way one dashboard can suffice the need for user based data access. I know that we can access the global tokens $env:user$ or $env:user_realname$ etc in the panel titles or html panels - for instance:

<panel>
  <html>
    <p>Currently Logged In User: $env:user$</p>
    <p>Full name of logged in user: $env:user_realname$</p>
  </html>
</panel>

but when I try something like this:

| stats count | eval user1 = $env:user$ | eval user = case($env:user$ == "admin","hello admin",1==1,"hello user")

It doesn't seem to work in simple xml. Any solution for that? I am on Splunk Cloud so don't have much room to play with .js files with simple xml.

0 Karma
1 Solution

nabeel652
Builder

Well this is not achievable as tokens are only visible in Simple XML not in SPL. However, a workaround would be to get the user form an API call:

| rest /services/authentication/current-context splunk_server=local | fields username

Once you have the user name you can apply the search commands on or using the username

View solution in original post

0 Karma

nabeel652
Builder

Well this is not achievable as tokens are only visible in Simple XML not in SPL. However, a workaround would be to get the user form an API call:

| rest /services/authentication/current-context splunk_server=local | fields username

Once you have the user name you can apply the search commands on or using the username

0 Karma

493669
Super Champion

Hi,
When you are searching for user1 you need to wrap value in quotes by writing $token_name|s$ It will ensures that quotation marks surround the value referenced by the token.

| stats count | eval user1 = $env:user|s$ | eval user = case(user1  == "admin","hello admin",1==1,"hello user")
0 Karma

mayurr98
Super Champion

hey try this run anywhere XML and you can take it as a reference to build yours.

<dashboard>
    <label>Default Environment Tokens</label>
    <description>Global default environment tokens available on initial load, and can be used throughout the page.</description>
    <row>
        <panel>
            <html>
                <h1>Hello, $env:user_realname$!</h1>
            </html>
            <table>
                <title>Login Attempts in the Last 24 Hours (for user="$env:user$")</title>
                <search>
                    <query>index=_audit action="login attempt" user=$env:user|s$ | table _time user action info</query>
                    <earliest>-24h</earliest>
                    <latest>now</latest>
                </search>
            </table>
            <html depends="$env:is_enterprise$">
                <i class="icon icon-info"/>
                <span>This is only visible in Splunk Enterprise and hidden in Splunk Lite, Splunk Free, etc.</span>
            </html>
        </panel>
    </row>
</dashboard>

Also your query looks dicy, you can try this

| stats count | eval user1=$env:user|s$ | eval user = case(user1="admin","hello admin",1==1,"hello user")

In your query, you are assigning token-value to user1 then you are using token-value in eval-case instead you should use user1 field.

let me know if this helps!

nabeel652
Builder

Thanks mayurr98

I've tried the code and query you provide, but as I stated in my question - the env tokens work fine with panel labels or in html panels however it doesn't work in SPL queries. Hence this part doesn't work form me:

<search>
           <query>index=_audit action="login attempt" user=$env:user|s$ | table _time user action info</query>
           <earliest>-24h</earliest>
           <latest>now</latest>
 </search>

I'm using Splunk 6.6 in Cloud.

0 Karma

davpx
Communicator

try wrapping your token in single quotes in your case statement, case('$env:user$' == "admin"

0 Karma

nabeel652
Builder

Nope. Already tried it...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...