Getting Data In

Session variable

hbazan
Path Finder

Hi there.Lets see if someone can help me with this. We have this requirement:

We have several saved searches and reports that need to be shown to a number of users, but with a slight change for different user groups. Lets say that the "change" is a value for a field, for instance Field1=$userField$ (maybe I could build a python command if that change isn't that simple, but that's not my question). What if I don't want to create a different app or saved search for each group, but get that userField value when the user logs. Are you following me?

One idea we had was to use query string values, we will publish splunk's url for each group like this: splunk.....?userField=value, and then use that value for every search. Maybe using a ServerSideInclude I can process that url and extract the value I need. The thing is that I can't find a way to keep this sort of Session variable, because I need it for every search the user use.

Is this possible? or is it maybe some easier way?

1 Solution

hbazan
Path Finder

OK. I haven't been able to do what I wanted. It seems there's be no way to store a value during the whole user session. The solution we've arrived so far is to embed a specially created view in some external web site, and call a saved search sending macro parameters. I mean, my saved search is something like:

index=some filterField=$filter$ | timechart count

and I embed the report on some html page of my own, like this:

<iframe src="http://splunk:8000/en-US/app/search/testFormView?q=|savedsearch %22MySavedSearch%22 filterField=FilterValue"
    width="80%" height="500">
    <p>Your browser does not support iframes.</p>
</iframe>

And this shows me the filtered report I wanted. This way I can get the FilterValue from the page, using JQuery or something else, thus limiting the amount of information showed to this particular user.

Can anyone think of a simpler solution?

View solution in original post

0 Karma

hbazan
Path Finder

OK. I haven't been able to do what I wanted. It seems there's be no way to store a value during the whole user session. The solution we've arrived so far is to embed a specially created view in some external web site, and call a saved search sending macro parameters. I mean, my saved search is something like:

index=some filterField=$filter$ | timechart count

and I embed the report on some html page of my own, like this:

<iframe src="http://splunk:8000/en-US/app/search/testFormView?q=|savedsearch %22MySavedSearch%22 filterField=FilterValue"
    width="80%" height="500">
    <p>Your browser does not support iframes.</p>
</iframe>

And this shows me the filtered report I wanted. This way I can get the FilterValue from the page, using JQuery or something else, thus limiting the amount of information showed to this particular user.

Can anyone think of a simpler solution?

0 Karma

hbazan
Path Finder

Where can I find those UI experts?

0 Karma

Lowell
Super Champion

Sounds like you might need some kind of custom UI layer in front of splunk. Out of curiosity, where are you storing the information about who has access to what? If you could store that info in one or more lookup tables, that may aide in your solution, but it sounds rather complicated and not an out-of-the-box kind of thing. But hopefully the UI experts can give a better direction.

0 Karma

hbazan
Path Finder

It's more a domain issue. But you are right, certain user should only see certain data.
Suppose you have a saved search that returns a timechart for user hits to a database server. And as a server admin you may want to see every hit. But some user might want to see the exact same search, with the addition of "search databasename=DB_mine". Picture that for a lot of searches and databases (not the exact problem, It's simplified)
For the admin, I can create a formsearch, put a selector, show every database name and use it for filtering. But final users shouldn't be able to change that selection.

0 Karma

Lowell
Super Champion

I think it would be helpful if you elaborate a little more on what kind of differences you want to see per user? Is this a security-kind of requirement where only certain users should see certain data, or is it more that users should only see activities based on their assigned responsibility or roles?

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...