Dashboards & Visualizations

default home dashboard for each specific user

kranthimutyala
Path Finder

Hi Team,

Im in the plan to develop default home dashboard for all the users in splunk which shows the information about their level of access (to which index/to which they have access and and information related to searches and stuff). My question is these metrics vary from user to user so how do I parameterise this for each and every  user who login to splunk OR from where I can get the userid of the user  to use it in the dashboard search query. 

Thanks for the help.

 

@niketn  @gaurav_maniar 

Labels (2)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
You can use the $env:user$ token to insert the user's account name into your query.
---
If this reply helps you, Karma would be appreciated.
0 Karma

kranthimutyala
Path Finder

@richgalloway  Thanks for the reply.Do you have any sample dashboard code which I can use it to pop up it as a default dashboard for all the users who ever login into the splunk with the information like to what indexes /apps they have access to and searches they are running under their id.

Appreciate your help. Thanks

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Indexes where user has access can queried like this (but it require REST api access).

| rest /services/authentication/users splunk_server=* 
| search title!=admin 
| table title roles 
| rename title as user 
| rename roles as title 
| search user=$env:user$ 
| mvexpand title 
| join type=left max=0 title 
    [| rest /services/authorization/roles splunk_server=* 
    | table title srchInd* 
    | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) 
    | table title indexes 
    | mvexpand indexes 
    | dedup title indexes 
    | eval indexes_orig=indexes 
    | join indexes max=0 type=left 
        [| rest /services/data/indexes 
        | stats count by title 
        | table title 
        | eval indexes=if(match(title,"^_"),"_*","*") 
        | rename title as indexes_new] 
    | eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) 
    | table title indexes] 
| rename user as Username title as Group indexes as Index 
| dedup Index

Thanks for someone for this query 😉

r. Ismo 

0 Karma

niketn
Legend

@kranthimutyala Yes this should be Solved using Splunk's REST API and based on logged in User. Following is an old answer of mine on similar lines.

https://community.splunk.com/t5/Dashboards-Visualizations/How-to-pass-a-dashboard-as-value-in-dropdo...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust
I do not have any such code, but splunkbase might. Try https://splunkbase.splunk.com/app/3849/ as an example.
---
If this reply helps you, Karma would be appreciated.
0 Karma

niketn
Legend

@kranthimutyala as per your question users as per their access will fetch the data from different indexes. Within different indexes the source type should ideally be same if you are collecting same data for providing same dashboard for all of them. What do you mean by metrics being different? (1) Are the field names different but capture same information or  (2) the data type itself is different.

If it is first then you need field normalisation by aliasing or data model or parameterized macro based on looged in user. If not you will have to provide more example with cooked up data for some dummy users and then what kind of SPL and Visualizations you have in the dashboard.

If data itself is completely different for different users I don't see how you can give same dashboard for two different use cases.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kranthimutyala
Path Finder

Hi @niketn  Im actually looking to implement a dashboard and set that as a default dashboard for each and every user to show them what index/apps they have access and show some other details.How do I get those details using splunk queries even for normal users.Basically this info is like metadata about each user about their   access to apps and indexes.Appreciate your help.Thanks

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...