Hi Team,
Im in the plan to develop default home dashboard for all the users in splunk which shows the information about their level of access (to which index/to which they have access and and information related to searches and stuff). My question is these metrics vary from user to user so how do I parameterise this for each and every user who login to splunk OR from where I can get the userid of the user to use it in the dashboard search query.
Thanks for the help.
@richgalloway Thanks for the reply.Do you have any sample dashboard code which I can use it to pop up it as a default dashboard for all the users who ever login into the splunk with the information like to what indexes /apps they have access to and searches they are running under their id.
Appreciate your help. Thanks
Hi
Indexes where user has access can queried like this (but it require REST api access).
| rest /services/authentication/users splunk_server=*
| search title!=admin
| table title roles
| rename title as user
| rename roles as title
| search user=$env:user$
| mvexpand title
| join type=left max=0 title
[| rest /services/authorization/roles splunk_server=*
| table title srchInd*
| eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault)
| table title indexes
| mvexpand indexes
| dedup title indexes
| eval indexes_orig=indexes
| join indexes max=0 type=left
[| rest /services/data/indexes
| stats count by title
| table title
| eval indexes=if(match(title,"^_"),"_*","*")
| rename title as indexes_new]
| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig)
| table title indexes]
| rename user as Username title as Group indexes as Index
| dedup Index
Thanks for someone for this query 😉
r. Ismo
@kranthimutyala Yes this should be Solved using Splunk's REST API and based on logged in User. Following is an old answer of mine on similar lines.
@kranthimutyala as per your question users as per their access will fetch the data from different indexes. Within different indexes the source type should ideally be same if you are collecting same data for providing same dashboard for all of them. What do you mean by metrics being different? (1) Are the field names different but capture same information or (2) the data type itself is different.
If it is first then you need field normalisation by aliasing or data model or parameterized macro based on looged in user. If not you will have to provide more example with cooked up data for some dummy users and then what kind of SPL and Visualizations you have in the dashboard.
If data itself is completely different for different users I don't see how you can give same dashboard for two different use cases.
Hi @niketn Im actually looking to implement a dashboard and set that as a default dashboard for each and every user to show them what index/apps they have access and show some other details.How do I get those details using splunk queries even for normal users.Basically this info is like metadata about each user about their access to apps and indexes.Appreciate your help.Thanks